search for: nwfilter

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've >> not >> come across a way to do so, but I thought I'd ask here before I chase >&g...

Hi, i want to disable the nwfilter functionality of libvirt. It's surely nice for some people, nevertheless i don't want libvirt to alter any netfilter rules, neither i want the according functionality even available. I know about nwfilter-undefine, but what i'm looking for is an option to globally disable this functi...

On 03/30/2018 04:29 PM, Andre Goree wrote: > On 2018/02/16 12:12 pm, Daniel P. Berrang? wrote: >> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >>> I'm trying to determine if it's possible to edit/attach/apply >>> nwfilter rules >>> at runtime?? I.e., after a VM is already running, can I apply a >>> nwfilter to >>> the VM and have it work without rebooting the machine?? Thus far, >>> I've not >>> come across a way to do so, but I thought I'd ask here before I chase...

I'm trying to determine if it's possible to edit/attach/apply nwfilter rules at runtime? I.e., after a VM is already running, can I apply a nwfilter to the VM and have it work without rebooting the machine? Thus far, I've not come across a way to do so, but I thought I'd ask here before I chase my tail around Google. Thanks! -- Andre Goree -=-=-=-=-=-...

Hello! I just spent the last four days working with nwfilters only to decide that they are apparently unusable. I've come to the mailing list seeking input on this subject. First off, please forgive my offensiveness. I'm sure people worked hard on nwfilters and it looks like a lot of effort went into providing this functionality. This is also an...

...it may help somebody from future when searching for solution to the same problem] On 5/6/19 6:08 PM, nakata@geekpit.org wrote: > Am 2019-05-06 16:26, schrieb Michal Privoznik: >> On 5/6/19 3:44 PM, nakata@geekpit.org wrote: >>> Hi, >>> >>> i want to disable the nwfilter functionality of libvirt. >>> It's surely nice for some people, nevertheless i don't want libvirt >>> to alter any netfilter rules, neither i want the according >>> functionality even available. >> >> It's not only NWFilter that will inject firew...

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've >> not >> come across a way to do so, but I thought I'd ask here before I chase >&g...

On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: > Hi, > > I am running a webserver on the libvirt host and would like to add a > nwfilter such that a VM can access that server. The corresponding iptables > rule would look like this: > > iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 > --protocol tcp --dport 80 --jump ACCEPT > > where the network is using virbr0 and sits at 192.168.122.1. I...

...s experience, I know that the above steps worked fine. However, now on CentOS 7.5, I am seeing the dependency resolution failing. $ yum install libvirt libvirt-daemon-xen [ ... ] Error: Package: libvirt-daemon-xen-3.2.1-402.el7.x86_64 (centos-virt-xen-46) Requires: libvirt-daemon-driver-nwfilter = 3.2.1-402.el7 Available: libvirt-daemon-driver-nwfilter-3.2.1-402.el7.x86_64 (centos-virt-xen-46) libvirt-daemon-driver-nwfilter = 3.2.1-402.el7 Available: libvirt-daemon-driver-nwfilter-3.9.0-14.el7.x86_64 (base) libvirt-daemon-driver-nwfilter...

...7/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the bridge, not to the bridge itself. > > On 5/26/2014 1:35 PM, Matt LaPlante wrote: >> I'm trying to accomplish what I had hoped would be a fairly simple >> filtering of traffic to my VMs, but I'm...

...e some iptables rules defined to restrict guest traffic. If I restart the hosts firewall 'service iptables restart', all the guest-specific rules get blown away. Is there a way to reapply all the guest firewall rules, without restarting each individual guest? It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes and reapplies the rules to all the guests, so this functionality seems to be present already.

...quot; /> </filterref> </interface> <console type='pty'/> <graphics type='vnc' port='-1' autoport='yes' keymap='en-us' listen='127.0.0.1'/> </devices> </domain> # virsh nwfilter-dumpxml nova-instance-instance-00000168-fa163e1e7087 <filter name='nova-instance-instance-00000168-fa163e1e7087' chain='root'> <uuid>b6475525-5901-aeab-4ed0-dc0d7b545aea</uuid> <filterref filter='nova-base'/> </filter> # virsh nwfilter-dump...

I'm trying to apply a nwfilter rule for two networks on the same guest interface, like so: ~ # virsh nwfilter-dumpxml 1081532-private-both <filter name='1081532-private-both' chain='root'> <uuid>16004b94-2b62-4568-9467-169908eb4040</uuid> <rule action='accept' direction='i...

...rrange wrote: >On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote: >> On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: >> >> > Hi, >> > >> > I am running a webserver on the libvirt host and would like to add a >> > nwfilter such that a VM can access that server. The corresponding iptables >> > rule would look like this: >> > >> > iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 >> > --protocol tcp --dport 80 --jump ACCEPT >> > >> > where th...

On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: > I'm trying to determine if it's possible to edit/attach/apply nwfilter rules > at runtime? I.e., after a VM is already running, can I apply a nwfilter to > the VM and have it work without rebooting the machine? Thus far, I've not > come across a way to do so, but I thought I'd ask here before I chase my > tail around Google. Simply re-define the...

...ase) ?????????????? libvirt-daemon = 4.5.0-10.el7 ?????????? Available: libvirt-daemon-4.5.0-10.el7_6.2.x86_64 (updates) ?????????????? libvirt-daemon = 4.5.0-10.el7_6.2 Error: Package: libvirt-daemon-xen-4.1.0-2.xen48.el7.x86_64 (@centos-virt-xen-48) ?????????? Requires: libvirt-daemon-driver-nwfilter = 4.1.0-2.xen48.el7 ?????????? Removing: libvirt-daemon-driver-nwfilter-4.1.0-2.xen48.el7.x86_64 (@centos-virt-xen-48) ?????????????? libvirt-daemon-driver-nwfilter = 4.1.0-2.xen48.el7 ?????????? Updated By: libvirt-daemon-driver-nwfilter-4.5.0-10.el7_6.3.x86_64 (updates) ?????????????? libv...

Hi, I contact you as i have difficulties to use nwfilter with KVM host. I want to implemente flow filtering between my Linux guests. I created the following filter : cat admin-dmz-internet.xml <filter name='admin-dmz-internet'> <!-- this zone is an SSH ingoing only zone --> <!-- but SSH can go to an other SSH pro...

...wrote: >> Make sure you have: >> >> /proc/sys/net/bridge/bridge-nf-call-iptables = 1 > That doesn't make sense. bridge-nf-call-iptables controls whether or not > traffic going across a Linux host bridge device will be sent through > iptables, but the rules created by nwfilter are applied to the "vnetX" > tap devices that connect the guest to the bridge, not to the bridge itself. It may not make sense to you, but that is what's necessary for nwfilter to work. You can even look at the code: http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/nwfilter/nw...

To take advantage of the filters, is it as simple as adding these couple of lines in a guest's xml file like the example from https://libvirt.org/formatnwfilter.html#nwfconcepts ? <devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.0.0.1'/> </filterref> <...

Hi All, I have two kvm guests running with a bridged configuration bound separately to br0 and br1 on my Fedora 15 host. I'm attempting to create some nwfilter rules on br1 and am running into a bunch of problems that have me scratching my head. libvirt version: 0.8.8-7 What I've noticed on the second host is as follows: - Most all nwfilter rules that I create for the host on br1 don't work as I would expect. If I create a rule for TCP dest po...