libvirt users - May 2017 - Re: nwfilter and address of network ip address

On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange
wrote:
>On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
>> On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock
<nicolasbock@gmail.com> wrote:
>>
>> > Hi,
>> >
>> > I am running a webserver on the libvirt host and would like to add
a
>> > nwfilter such that a VM can access that server. The corresponding
iptables
>> > rule would look like this:
>> >
>> > iptables --append INPUT --in-interface virbr0 --destination
192.168.122.1
>> > --protocol tcp --dport 80 --jump ACCEPT
>> >
>> > where the network is using virbr0 and sits at 192.168.122.1. I
don't want
>> > to hardcode the host IP address in the nwfilter so that I can use
that
>> > filter for other networks. Is it possible to reference the
host's IP
>> > address in the filter?
>
>There is a pre-defined parameter for the VM's own IP address:
>
>  http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection
>
>but we don't have anything for the host's IP address. We could
fairly
>easily add it though I reckon - eg provide a HOST_IP parameter.
Thanks Daniel.
>Regards,
>Daniel

On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock
wrote:
> On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
> > On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
> > > On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock
<nicolasbock@gmail.com> wrote:
> > > 
> > > > Hi,
> > > >
> > > > I am running a webserver on the libvirt host and would like
to add a
> > > > nwfilter such that a VM can access that server. The
corresponding iptables
> > > > rule would look like this:
> > > >
> > > > iptables --append INPUT --in-interface virbr0 --destination
192.168.122.1
> > > > --protocol tcp --dport 80 --jump ACCEPT
> > > >
> > > > where the network is using virbr0 and sits at 192.168.122.1.
I don't want
> > > > to hardcode the host IP address in the nwfilter so that I
can use that
> > > > filter for other networks. Is it possible to reference the
host's IP
> > > > address in the filter?
> > 
> > There is a pre-defined parameter for the VM's own IP address:
> > 
> > 
http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection
> > 
> > but we don't have anything for the host's IP address. We could
fairly
> > easily add it though I reckon - eg provide a HOST_IP parameter.
> 
> Thanks Daniel.
BTW, please don't misinterpret this to mean i'm going to actually
implement
this myself. I mostly meant a) file a RFE bug report against libvirt's
upstream bug tracker b)  if you feel motivated to look at it, you could
try writing a patch for libvirt and submit it :-)

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On Mon, May 08, 2017 at 04:57:58PM +0100, Daniel P. Berrange
wrote:
>On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock wrote:
>> On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
>> > On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
>> > > On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock
<nicolasbock@gmail.com> wrote:
>> > >
>> > > > Hi,
>> > > >
>> > > > I am running a webserver on the libvirt host and would
like to add a
>> > > > nwfilter such that a VM can access that server. The
corresponding iptables
>> > > > rule would look like this:
>> > > >
>> > > > iptables --append INPUT --in-interface virbr0
--destination 192.168.122.1
>> > > > --protocol tcp --dport 80 --jump ACCEPT
>> > > >
>> > > > where the network is using virbr0 and sits at
192.168.122.1. I don't want
>> > > > to hardcode the host IP address in the nwfilter so that
I can use that
>> > > > filter for other networks. Is it possible to reference
the host's IP
>> > > > address in the filter?
>> >
>> > There is a pre-defined parameter for the VM's own IP address:
>> >
>> > 
http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection
>> >
>> > but we don't have anything for the host's IP address. We
could fairly
>> > easily add it though I reckon - eg provide a HOST_IP parameter.
>>
>> Thanks Daniel.
>
>BTW, please don't misinterpret this to mean i'm going to actually
implement
>this myself. I mostly meant a) file a RFE bug report against libvirt's
>upstream bug tracker b)  if you feel motivated to look at it, you could
>try writing a patch for libvirt and submit it :-)
No, I hadn't interpreted your statement like you were going to 
implement it :)

I'll file a bug. And I'll have a look at the code.

Thanks,

Nick
>Regards,
>Daniel

On Mon, May 08, 2017 at 04:57:58PM +0100, Daniel P. Berrange
wrote:
>On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock wrote:
>> On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
>> > On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
>> > > On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock
<nicolasbock@gmail.com> wrote:
>> > >
>> > > > Hi,
>> > > >
>> > > > I am running a webserver on the libvirt host and would
like to add a
>> > > > nwfilter such that a VM can access that server. The
corresponding iptables
>> > > > rule would look like this:
>> > > >
>> > > > iptables --append INPUT --in-interface virbr0
--destination 192.168.122.1
>> > > > --protocol tcp --dport 80 --jump ACCEPT
>> > > >
>> > > > where the network is using virbr0 and sits at
192.168.122.1. I don't want
>> > > > to hardcode the host IP address in the nwfilter so that
I can use that
>> > > > filter for other networks. Is it possible to reference
the host's IP
>> > > > address in the filter?
>> >
>> > There is a pre-defined parameter for the VM's own IP address:
>> >
>> > 
http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection
>> >
>> > but we don't have anything for the host's IP address. We
could fairly
>> > easily add it though I reckon - eg provide a HOST_IP parameter.
>>
>> Thanks Daniel.
>
>BTW, please don't misinterpret this to mean i'm going to actually
implement
>this myself. I mostly meant a) file a RFE bug report against libvirt's
>upstream bug tracker b)  if you feel motivated to look at it, you could
>try writing a patch for libvirt and submit it :-)
https://bugzilla.redhat.com/show_bug.cgi?id=1448926
>Regards,
>Daniel