search for: srcipmask

...ter-dumpxml 1081532-private-both <filter name='1081532-private-both' chain='root'> <uuid>16004b94-2b62-4568-9467-169908eb4040</uuid> <rule action='accept' direction='in' priority='500'> <ip srcipaddr='10.25.104.0' srcipmask='24'/> </rule> <rule action='accept' direction='in' priority='600'> <ip srcipaddr='10.117.50.0' srcipmask='24'/> </rule> <rule action='drop' direction='in' priority='1000'/> &lt...

...ensure that libvirt domains can't spoof IPv6 traffic. It looks like this: <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> The goal is to allow any traffic coming from the entire prefix (e.g. 2001:db8::/32). This theoretically would work fine when passing in the variables from...

...n_filters, it sounds like the preferred approach is to use something like: <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6[@1]' srcipmask='$IPV6_MASK[@1]'/> </rule> <rule action='drop' direction='out' priority='1000'/> </filter> The documentation reads: Assign concrete values to SRCIPADDRESSES and DSTPORTS as shown: SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ] DSTPORTS = [ 80, 80...

...<rule action='accept' direction='in' priority='100'> <ip dstipaddr='192.168.8.0' dstipmask='24'/> </rule> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='192.168.8.0' srcipmask='24'/> </rule> <rule action='drop' direction='inout' priority='500'> <all/> </rule> </filter> I then associated that filter with the Interface device on the VM server within KVM... and shutdown/restart that VM. <interfa...

...='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- accept traffic only from specified MAC address --> <rule action='drop' direction='in'> <ip match='yes' srcipaddr='$GATEWAY_IP' srcipmask='$GATEWAY_IP_MASK' /> </rule> <!-- allow traffic only to specified MAC address --> <rule action='drop' direction='out'> <ip match='yes' dstipaddr='$GATEWAY_IP' dstipmask='$GATEWAY_IP_MASK' />...

Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best