search for: filterref

Displaying 20 results from an estimated 77 matches for "filterref".

2018 Jun 28
4
East-west traffic network filter
...]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best wishes, Ales Musil [1] <filter name='clean-traffic-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/> <!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traff...
2012 Nov 07
1
Problems when filtering on icmpv6
...ailure to execute command '$IPT -A libvirt-out -m physdev -- physdev-out vnet0 -g FP-vnet0' : 'ip6tables: No chain/target/match by that name.'. I am (trying to) use this filter by including it in here: <filter name='clean-traffic-with-v6' chain='root'> <filterref filter='no-mac-spoofing'/> <filterref filter='no-ip-spoofing'/> <filterref filter='no-dhcp-server'/> <rule action='accept' direction='out' priority='-650'> <mac protocolid='ipv4'/> </rule> <fil...
2018 Jul 02
1
Re: East-west traffic network filter
...of MAC one e.g [2]. Have not tested it myself but it should work fine. Hopefully this helps. Regards, Ales. [1] <filter name='clean-traffic-ip-gateway'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/> <!-- preventing IP spoofing on outgoing --> <filterref filter='no-ip-spoofing'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traf...
2014 Jan 15
2
How to update filterref of a vm on the fly?
Hello, I defined a vm with filterref like: <filterref filter='clean-traffic'> <parameter name='IP' value='192.168.1.161'/> </filterref> and now I need to add another IP parameter for this vm,is there any way to achieve this? thanks.
2013 Nov 19
2
macvtap direct and ip spoofing
Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over macvtap, and found no filtration applied except mac. 'virsh' just silently ignoring attributes 'filterref' and 'ip address' in different formats. No error on validate stage. Config examples: ... <interface type='direct'> <mac address='52:54:00:31:ae:1a'/> <source dev='em1' mode='private'/> <filterref filter='clean-tr...
2014 May 26
2
nwfilter usage
...ASSIFY,xt_AUDIT,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,iptable_mangle,iptable_filter,ip_tables Guest network using bridge: <interface type='bridge'> <mac address='00:11:22:33:44:55'/> <source bridge='brdg'/> <model type='virtio'/> <filterref filter='outbound-only'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <filter name='outbound-only' chain='root'> <uuid>0c834381-402c-faf3-019f-eb5a40ea6b61<...
2015 May 01
1
libvirt nwfilter
...ge of the filters, is it as simple as adding these couple of lines in a guest's xml file like the example from https://libvirt.org/formatnwfilter.html#nwfconcepts ? <devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.0.0.1'/> </filterref> </interface> </devices> Can multiple filters be combined together like this? <filterref filter='clean-traffic' filter='no-ip-multi...
2014 Jan 15
0
Re: How to update filterref of a vm on the fly?
On Wed, Jan 15, 2014 at 10:55:55AM +0800, Gao Yongwei wrote: > Hello, > I defined a vm with filterref like: > <filterref filter='clean-traffic'> > <parameter name='IP' value='192.168.1.161'/> > </filterref> > and now I need to add another IP parameter for this vm,is there any way to > achieve this? No, I don't believe we have a way t...
2014 Jan 15
2
Re: How to update filterref of a vm on the fly?
> > No, I don't believe we have a way to update the parameters. > > Hi, Daniel :-), it would be very nice if there is a way to update filterref , :-) thanks.
2020 Jan 01
2
Passing multiple addresses with masks to nwfilter
...e> <rule action='drop' direction='out' priority='1000'/> </filter> The goal is to allow any traffic coming from the entire prefix (e.g. 2001:db8::/32). This theoretically would work fine when passing in the variables from the domain definition like so: <filterref filter='no-ipv6-spoofing'> <parameter name='IPV6' value='2001:db8:1:6:dc:d2ff:fef2:2181'/> <parameter name='IPV6_MASK' value='32'/> </filterref> But the problem comes when wanting to allow multiple prefixes (and thus multiple $IPV6 a...
2011 Dec 13
1
Libvirt filterref magic
Hi everyone, When i start a libvirt domain (on KVM) with network filtering (using filterref clean-traffic for example), the filter works ! But ... i don't understand how/why it works :( Indeed when i look at ebtables -L iptables-save & arptables-save (and KVM command), I see no filtering rules (which is surprising because clean-traffic requires at least ebtables to be installed)....
2018 Dec 25
2
Network filters with clean-traffic not working on Debian Stretch
...installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac address='52:54:00:0c:14:07'/> <source bridge='br0'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.10.1.2'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <interface type='bridge...
2013 Apr 23
1
Lack of ebtables rules when using nwfilters
...-00000168/disk.swap'/> <target dev='sdb' bus='scsi'/> </disk> <interface type='bridge'> <source bridge='br0'/> <mac address='fa:16:3e:1e:70:87'/> <filterref filter="nova-instance-instance-00000168-fa163e1e7087"> <parameter name="IP" value="10.255.0.114" /> <parameter name="DHCPSERVER" value="10.255.0.3" /> </filterref> </interfa...
2018 Jun 28
0
Re: East-west traffic network filter
...onestly I think the way you've done it is the right way. "clean-traffic" is best thought of as a simple demo. If it does what you need, great, but we'd expect people to create their own filters for anything more advanced. The clean-traffic rules were modularized so you can use <filterrefs> to avoid too much duplication. So what you've done looks fine to me. > [1] > <filter name='clean-traffic-gateway'> > <!-- An example of a traffic filter enforcing clean traffic > from a VM by > - preventing MAC spoofing --> > <filterr...
2014 May 28
3
Re: nwfilter usage
...le_filter,ip_tables >> >> >> Guest network using bridge: >> <interface type='bridge'> >> <mac address='00:11:22:33:44:55'/> >> <source bridge='brdg'/> >> <model type='virtio'/> >> <filterref filter='outbound-only'/> >> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' >> function='0x0'/> >> </interface> >> >> <filter name='outbound-only' chain='root'> >>...
2015 Mar 10
1
Issues with XML validation after upgrade to 1.2.12
...ows the issue): <domain type='kvm' id='65'> <name>XXXX</name> <uuid>b602b5f2-b9d7-43bd-a949-acc7eeeb9f8f</uuid> <memory unit='KiB'>1048576</memory> <devices> <interface type='bridge'> <filterref filter='myfilter'> <parameter name='CTRL_IP_LEARNING' value='none'/> <parameter name='DHCPSERVER' value='104.156.226.10'/> <parameter name='IP' value='104.207.129.11'/> <parameter nam...
2017 Jun 26
0
Accepting RELATED, ESTABLISHED (TCP) connections into VM using Network Filters
...current custom Python/Java code in the Apache CloudStack [0] project by Network Filters of Libvirt. Both IPv4 and IPv6 should work, but I started off with IPv4 and I have issues with accepting back RELATED,ESTABLISHED connections into the VM. In the guest's XML I have this defined: <filterref filter='nwfilter-test'> <parameter name='IP' value='192.168.200.250'/> <parameter name='IPV6' value='2001:db8:100:0:5054:ff:fe9c:6ce6'/> <parameter name='IPV6' value='fe80::5054:ff:fe9c:6ce6'/>...
2018 Jun 29
0
Re: East-west traffic network filter
...nce to > clean-traffic? > > Thank you. > Best wishes, > Ales Musil > > [1] > <filter name='clean-traffic-gateway'> > <!-- An example of a traffic filter enforcing clean traffic > from a VM by > - preventing MAC spoofing --> > <filterref filter='no-mac-spoofing'/> > > <!-- preventing IP spoofing on outgoing --> > <filterref filter='no-ip-spoofing'/> > <!-- preventing ARP spoofing/poisoning --> > <filterref filter='no-arp-spoofing'/> > <!-- accept all other in...
2013 Nov 19
0
Re: macvtap direct and ip spoofing
On 11/19/2013 11:00 AM, vlad halilov wrote: > Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged > over macvtap, and found no filtration applied except mac. 'virsh' just > silently ignoring attributes 'filterref' and 'ip address' in different > formats. No error on validate stage. Config examples: > > ... > <interface type='direct'> > <mac address='52:54:00:31:ae:1a'/> > <source dev='em1' mode='private'/> > &...
2014 May 26
0
Re: nwfilter usage
...tate,iptable_nat,iptable_mangle,iptable_filter,ip_tables > > Guest network using bridge: > <interface type='bridge'> > <mac address='00:11:22:33:44:55'/> > <source bridge='brdg'/> > <model type='virtio'/> > <filterref filter='outbound-only'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> > </interface> > > <filter name='outbound-only' chain='root'> > <uuid>0c834381-402c-...