search for: srcipaddr

...ne from router- advertisements. For writing filter rules, it would be nice to have some function/notation to calculate those auto-configured addresses for the user, so we can write something like this: <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='ipv6_autoconf($IPV6_PREFIX[@1], $IPV6_MASK[@1], $MAC)'/> </rule> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6'/> </rule> <rule action='drop' direction='out' priority='1000...

...lter that I'm using to ensure that libvirt domains can't spoof IPv6 traffic. It looks like this: <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> The goal is to allow any traffic coming from the entire prefix (e.g. 2001:db8::/32). This theoretically would work fine when pass...

...rface, like so: ~ # virsh nwfilter-dumpxml 1081532-private-both <filter name='1081532-private-both' chain='root'> <uuid>16004b94-2b62-4568-9467-169908eb4040</uuid> <rule action='accept' direction='in' priority='500'> <ip srcipaddr='10.25.104.0' srcipmask='24'/> </rule> <rule action='accept' direction='in' priority='600'> <ip srcipaddr='10.117.50.0' srcipmask='24'/> </rule> <rule action='drop' direction='in'...

...filtering-Usage_of_variables_in_filters, it sounds like the preferred approach is to use something like: <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6[@1]' srcipmask='$IPV6_MASK[@1]'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> The documentation reads: Assign concrete values to SRCIPADDRESSES and DSTPORTS as shown: SRCIPADDRESSES = [ 10.0.0.1,...

...cp, udp, and icmp specifically. I'm doing this so it will force inclusion into the iptables filtering rules rather than ebtables. <filter name='my-static-ip' chain='root'> <rule action='accept' direction='out' priority='500'> <tcp srcipaddr='$MYIP'/> </rule> <rule action='accept' direction='out' priority='500'> <udp srcipaddr='$MYIP'/> </rule> <rule action='accept' direction='out' priority='500'> <icmp srcipaddr='$MY...

...k platform. I set up a filter rule and attached it to the interface of a guest using nwfilter-define: <filter name='private_ip' chain='ipv4'>   <uuid>foobar</uuid>   <rule action='accept' direction='out' priority='100'>     <ip srcipaddr='$IP' dstipaddr='10.0.0.1'/>   </rule>   <rule action='accept' direction='in' priority='110'>     <ip srcipaddr='10.0.0.1' dstipaddr='$IP'/>   </rule>   <rule action='drop' direction='inout' p...

...ATED'/> </rule> <rule action='accept' direction='in' priority='100'> <ip dstipaddr='192.168.8.0' dstipmask='24'/> </rule> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='192.168.8.0' srcipmask='24'/> </rule> <rule action='drop' direction='inout' priority='500'> <all/> </rule> </filter> I then associated that filter with the Interface device on the VM server within KVM... and shutdo...

...ction='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='drop' direction='in'> <ip match='yes' srcipaddr='$GATEWAY_IP' srcipmask='$GATEWAY_IP_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='drop' direction='out'> <ip match='yes' dstipaddr='$GATEWAY_IP' dstipmask=&...

...; </filter> Generates the following iptables rules: https://up.tao.at/u/DE7E2638.txt ...and will not filter anything. > <filter name='test-eth0' chain='root'> > <rule action='accept' direction='in' priority='500'> > <tcp srcipaddr='192.168.17.127' dstportstart='22'/> > </rule> > <rule action='drop' direction='in' priority='900'> > <all/> > </rule> > </filter> Will filter port 22 as well. The generated iptables rules are as foll...

Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best

Hi, The last couple of days I''ve been trying to get back on the wxRuby-horse however I''ve ran into some problems while compiling/testing the subversion sources. Mind, the 1.9.2 official release works fine. Absolutely no problems whatsoever. The first hurdle was that the rake install target doesn''t work. It fails on rakewx.rb:145. Looking into it I found that

...a the variables $IP and $MAC. So to define a filter the prevents IP address spoofing we can simply match on source IP address != $IP <filter name='no-ip-spoofing' chain='ipv4'> <rule action='drop' direction='out'> <ip match='no' srcipaddr='$IP' /> </rule> </filter> I'm not going to go into details on all the other protocol matches you can do, because it'll take far too much space. You can read about the options here http://libvirt.org/formatnwfilter.html#nwfelemsRulesProto Out of the box in...

Hi, I'm trying to configure nwfilter for KVM, but so far I haven't managed to figure out a working configuration. Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is connected via eth0, part of the external subnet 192.168.17.0/24, and has an additional subnet 192.168.128.160/28 routed to its main address 192.168.17.125. The host's subnet is configured as bridge