similar to: network filtering

Hi all. What right way to protect ip/mac spoofing for guests withnount dhcp and other 1 ip per guest?

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote: > Hi Ales, > > I would like to prevent the guests from different subnets start a > communication. In other words I have the subnet 192.168.1.0/24 and > 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with > guests on 192.168.2.0/24 at the same host. Is this possible using a

Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best

Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over macvtap, and found no filtration applied except mac. 'virsh' just silently ignoring attributes 'filterref' and 'ip address' in different formats. No error on validate stage. Config examples: ... <interface type='direct'> <mac address='52:54:00:31:ae:1a'/>

I expect that there's something glaringly obvious that I'm overlooking, as I'm justr getting back involved in using R after a several-month hiatus (from R). So I welcome clues. When I invoke plot(), merely specifying a data.frame with 2 columns, specify the plot type ("type") of "p" ("points"), and that I want the point to be green ('col =

Hello, I have a nwfilter that I'm using to ensure that libvirt domains can't spoof IPv6 traffic. It looks like this: <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/> </rule>

Hello, I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac

I'm trying to accomplish what I had hoped would be a fairly simple filtering of traffic to my VMs, but I'm hitting a snag. The VMs are allowing traffic when I wouldn't expect them to. Host and Guest are both running the same platform: Ubuntu 12.04.4 LTS 0.9.8-2ubuntu17.19 I have a basic bridge enabled on the host: brctl addbr brdg brctl addif brdg eth1 ip link set brdg up The host

Hi all: I tried kvm on my ubuntu with the libvirt.xml file as follows: <domain type='kvm'> <name>instance-00000011</name> <memory>2097152</memory> <os> <type>hvm</type> <boot dev="hd" /> </os> <features> <acpi/>

Hi all, As of r141677 I have a failing regression test, see below. This is for LLVM built with clang on a Intel Atom running FreeBSD8.2. Should I file a bug for this? Thanks, Ed. ******************** TEST 'LLVM :: CodeGen/X86/bswap.ll' FAILED ******************** Script: -- /usr/home/emeewis/build/llvm-debug-clang-configure/Debug+Asserts/bin/llc <

To take advantage of the filters, is it as simple as adding these couple of lines in a guest's xml file like the example from https://libvirt.org/formatnwfilter.html#nwfconcepts ? <devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP'

Hello, I defined a vm with filterref like: <filterref filter='clean-traffic'> <parameter name='IP' value='192.168.1.161'/> </filterref> and now I need to add another IP parameter for this vm,is there any way to achieve this? thanks.

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the

After we upgraded to 1.2.12, we've been having issues with libvirt... it complains that our formerly valid guest definitions are now invalid: error: Failed to start domain XXXX error: internal error: Cannot instantiate filter due to unresolvable variables or unavailable list elements: DHCPSERVER We looked into this, and found that it's the XML validation that's failing: # xmllint

On 13.10.2011, at 15:57, Edward Meewis wrote: > Hi all, > > As of r141677 I have a failing regression test, see below. > > This is for LLVM built with clang on a Intel Atom running FreeBSD8.2. > > Should I file a bug for this? Fixed in r141863. - Ben

Dear all, I configure my kvm vm like this: <interface type='bridge'> <mac address='52:54:00:dd:b2:c5'/> <source bridge='nw-vpc-1017'/> <target dev='if-57'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP'

Hello all! I try to use network filters for openvswitch interfaces.  This is the xml configuration of my bridge interface <interface type='bridge'>    <mac address='00:11:22:33:44:55'/>    <source bridge='virbr1'/>    <virtualport type='openvswitch'>         <parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/>   

1. It takes minutes to start the virtual machine when I add "filterref" to libvirt.xml and run command "virsh start vm1". It also takes minutes to destroy the virtual machine. <interface type="bridge"> <mac address="fa:16:3e:fa:f7:94"/> <target dev="tap69e948b0-bf"/> <source bridge="br02"/> <model

On Tue, Jun 06, 2017 at 11:37:27PM -0300, Thiago Oliveira wrote: > Daniel, > > Are you talking about XML? If yes, could please show us an example? <domain> ... <devices> .... <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'/> </interface> ....

Hi, I am trying to prevent my qemu guest machines from sending IPv6 router advertisements over their network device. To that end, I have written this filter definition: <filter name='no-ipv6-router-advertisement' chain='root' priority='-690'> <rule action='drop' direction='out' priority='600'> <icmpv6 type='134'/>