similar to: Updating an "interface" device has no effect on network filters

Hello all! I try to use network filters for openvswitch interfaces.  This is the xml configuration of my bridge interface <interface type='bridge'>    <mac address='00:11:22:33:44:55'/>    <source bridge='virbr1'/>    <virtualport type='openvswitch'>         <parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/>   

Hello All, I am trying to set up a cobbler server running as a guest on an isolated network. I'm having trouble figuring out how I can forward the DHCP and DNS traffic to this guest instead of DNSMASQ on the host. So far I have only tried to get dhcp working by enabling the 'allow-dhcp-server' on a guest named test and setting the $DHCPSERVER variable through a filterref parameter

I just wrote this to assist some Red Hat folks understanding what libvirt does with iptables, and thought it is useful info for the whole libvirt community. When I have time I'll adjust this content so that it can fit into the website in relevant pages/places. Firewall / network filtering in libvirt ======================================= There are three pieces of libvirt

Hi, I am trying to prevent my qemu guest machines from sending IPv6 router advertisements over their network device. To that end, I have written this filter definition: <filter name='no-ipv6-router-advertisement' chain='root' priority='-690'> <rule action='drop' direction='out' priority='600'> <icmpv6 type='134'/>

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote: > Hi Ales, > > I would like to prevent the guests from different subnets start a > communication. In other words I have the subnet 192.168.1.0/24 and > 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with > guests on 192.168.2.0/24 at the same host. Is this possible using a

Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over macvtap, and found no filtration applied except mac. 'virsh' just silently ignoring attributes 'filterref' and 'ip address' in different formats. No error on validate stage. Config examples: ... <interface type='direct'> <mac address='52:54:00:31:ae:1a'/>

Hi I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt is not creating ebtables rules against arp spoofing etc. Here are my configs: VM definition: <domain type='xen'> <uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid> <name>instance-00000168</name> <memory>2097152</memory> <os>

On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote: > Hello, > > I would like to make filter that allows communication only between > specified VMs. Those VMs should be specified by their MAC address. The > filter should extend clean-traffic but I was not able to get it working > with that reference. I have came up with modified clean-traffic which works > fine [1].

To take advantage of the filters, is it as simple as adding these couple of lines in a guest's xml file like the example from https://libvirt.org/formatnwfilter.html#nwfconcepts ? <devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP'

Hello, I defined a vm with filterref like: <filterref filter='clean-traffic'> <parameter name='IP' value='192.168.1.161'/> </filterref> and now I need to add another IP parameter for this vm,is there any way to achieve this? thanks.

Hi, Over the past few days I've been trying to get a prototype working of a stateful firewall for a Virtual Machine using Libvirt's network filters. My goal is to replace the current custom Python/Java code in the Apache CloudStack [0] project by Network Filters of Libvirt. Both IPv4 and IPv6 should work, but I started off with IPv4 and I have issues with accepting back

On 11/19/2013 11:00 AM, vlad halilov wrote: > Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged > over macvtap, and found no filtration applied except mac. 'virsh' just > silently ignoring attributes 'filterref' and 'ip address' in different > formats. No error on validate stage. Config examples: > > ... > <interface

Make sure you have: /proc/sys/net/bridge/bridge-nf-call-iptables = 1 On 5/26/2014 1:35 PM, Matt LaPlante wrote: > I'm trying to accomplish what I had hoped would be a fairly simple > filtering of traffic to my VMs, but I'm hitting a snag. The VMs are > allowing traffic when I wouldn't expect them to. > > Host and Guest are both running the same platform: > Ubuntu

Hi Ales, I would like to prevent the guests from different subnets start a communication. In other words I have the subnet 192.168.1.0/24 and 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with guests on 192.168.2.0/24 at the same host. Is this possible using a filter like yours? Thank you. Thiago. Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@redhat.com>

I'm trying to accomplish what I had hoped would be a fairly simple filtering of traffic to my VMs, but I'm hitting a snag. The VMs are allowing traffic when I wouldn't expect them to. Host and Guest are both running the same platform: Ubuntu 12.04.4 LTS 0.9.8-2ubuntu17.19 I have a basic bridge enabled on the host: brctl addbr brdg brctl addif brdg eth1 ip link set brdg up The host

Hi Sam, You can find the rules by below command, and it looks as below: # ebtables -t nat --list Bridge table: nat Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0 Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0 Bridge

On 5/28/2014 10:10 AM, Laine Stump wrote: > On 05/27/2014 02:46 AM, Brian Rak wrote: >> Make sure you have: >> >> /proc/sys/net/bridge/bridge-nf-call-iptables = 1 > That doesn't make sense. bridge-nf-call-iptables controls whether or not > traffic going across a Linux host bridge device will be sent through > iptables, but the rules created by nwfilter are applied

On Wed, Jan 15, 2014 at 10:55:55AM +0800, Gao Yongwei wrote: > Hello, > I defined a vm with filterref like: > <filterref filter='clean-traffic'> > <parameter name='IP' value='192.168.1.161'/> > </filterref> > and now I need to add another IP parameter for this vm,is there any way to > achieve this? No, I don't believe we have

Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the