Displaying 20 results from an estimated 3000 matches similar to: "macvtap direct and ip spoofing"
2013 Nov 19
0
Re: macvtap direct and ip spoofing
On 11/19/2013 11:00 AM, vlad halilov wrote:
> Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged
> over macvtap, and found no filtration applied except mac. 'virsh' just
> silently ignoring attributes 'filterref' and 'ip address' in different
> formats. No error on validate stage. Config examples:
>
> ...
> <interface
2015 Apr 30
3
Limitations of macvtap devices?
I am running OpenStack inside a libvirt guest that is connected to the
local network via a macvtap interface. My experience so far suggests
that a macvtap interface will not pass traffic with a source MAC
address other than the MAC address of the interface itself...for
example, if inside the guest eth0 is attached to a bridge.
Is that correct, or is there some setting that will make that work?
2014 Feb 12
2
F20 Virt-Manager with MacVTap not working
Hello,
I've setup a VM with default networking (NAT) and this works fine but hosts
on my LAN can't get to the VM since it uses NAT.
When I try to set network to use MacVTap with either default or bridged I
get no networking for the VM.
Any hints around this? I would like to have the VM's on the same LAN as my
host and other machines. I don't care if the VM host can't reach the
2014 Feb 12
2
Re: F20 Virt-Manager with MacVTap not working
The guest was setup through virt-manager. The machine is not configured
much after a F20 install (I believe I didn't change any network things)
Here is the network part:
<interface type='direct'>
<mac address='52:54:00:fe:b0:66'/>
<source dev='em1' mode='bridge'/>
<target dev='macvtap0'/>
<model
2018 Jul 02
1
Re: East-west traffic network filter
On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com>
wrote:
> Hi Ales,
>
> I would like to prevent the guests from different subnets start a
> communication. In other words I have the subnet 192.168.1.0/24 and
> 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
> guests on 192.168.2.0/24 at the same host. Is this possible using a
2018 Jun 28
4
East-west traffic network filter
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best
2020 Jan 01
2
Passing multiple addresses with masks to nwfilter
Hello,
I have a nwfilter that I'm using to ensure that libvirt domains can't spoof
IPv6 traffic. It looks like this:
<filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'>
<rule action='return' direction='out' priority='500'>
<ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/>
</rule>
2018 Dec 25
2
Network filters with clean-traffic not working on Debian Stretch
Hello,
I'm recently stumbled over the libvirt network filter capabilities and
got pretty excited. Unfortunately I'm not able to get the the
"clean-traffic" filterset working. I'm using a freshly installed Debian
Stretch with libvirt, qemu and KVM.
My config snippet looks as follows:
sudo virsh edit <VM>
[...]
<interface type='bridge'>
<mac
2015 May 01
1
Re: Limitations of macvtap devices?
On 04/30/2015 11:18 AM, Laine Stump wrote:
> On 04/30/2015 10:26 AM, Lars Kellogg-Stedman wrote:
>> I am running OpenStack inside a libvirt guest that is connected to the
>> local network via a macvtap interface. My experience so far suggests
>> that a macvtap interface will not pass traffic with a source MAC
>> address other than the MAC address of the interface
2015 Apr 30
0
Re: Limitations of macvtap devices?
On 04/30/2015 10:26 AM, Lars Kellogg-Stedman wrote:
> I am running OpenStack inside a libvirt guest that is connected to the
> local network via a macvtap interface. My experience so far suggests
> that a macvtap interface will not pass traffic with a source MAC
> address other than the MAC address of the interface itself...for
> example, if inside the guest eth0 is attached to a
2020 May 13
2
macvtap direct
Hi
Couple of questions around macvtap direct usage:
1) is the document here current?
https://libvirt.org/formatnetwork.html#examplesDirect
I have been able to get host to guest network traffic without any special
configuration or switch since Fedora 28 when I first started using it.
Using <forward mode=vepa> requires switch port mirroring, but just using
<forward mode=bridge>
2020 May 19
1
Re: macvtap direct
On Thu, May 14, 2020 at 1:32 PM Laine Stump <laine@redhat.com> wrote:
> On 5/13/20 12:52 AM, Subhendu Ghosh wrote:
> > Hi
> >
> > Couple of questions around macvtap direct usage:
> >
> > 1) is the document here current?
> > https://libvirt.org/formatnetwork.html#examplesDirect
>
> Yes. None of that has changed in any major way in many years.
>
2010 Nov 13
1
network filtering
I try to add some rules to filtering network, example
<filterref filter='clean-traffic'/> or
<filterref filter='no-ip-spoofing'/>
and vm not starting with message
virsh start freebsd8.2
error: Failed to start domain freebsd8.2
error: internal error IP parameter must be given since libvirt was not
compiled with IP address learning support
what do I do wrong?
2014 May 26
2
nwfilter usage
I'm trying to accomplish what I had hoped would be a fairly simple
filtering of traffic to my VMs, but I'm hitting a snag. The VMs are
allowing traffic when I wouldn't expect them to.
Host and Guest are both running the same platform:
Ubuntu 12.04.4 LTS
0.9.8-2ubuntu17.19
I have a basic bridge enabled on the host:
brctl addbr brdg
brctl addif brdg eth1
ip link set brdg up
The host
2015 May 01
1
libvirt nwfilter
To take advantage of the filters, is it as simple as adding these couple
of lines in a guest's xml file like the example from
https://libvirt.org/formatnwfilter.html#nwfconcepts ?
<devices>
<interface type='bridge'>
<mac address='00:16:3e:5d:c7:9e'/>
<filterref filter='clean-traffic'>
<parameter name='IP'
2014 Jan 15
2
How to update filterref of a vm on the fly?
Hello,
I defined a vm with filterref like:
<filterref filter='clean-traffic'>
<parameter name='IP' value='192.168.1.161'/>
</filterref>
and now I need to add another IP parameter for this vm,is there any way to
achieve this?
thanks.
2014 May 28
3
Re: nwfilter usage
On 05/27/2014 02:46 AM, Brian Rak wrote:
> Make sure you have:
>
> /proc/sys/net/bridge/bridge-nf-call-iptables = 1
That doesn't make sense. bridge-nf-call-iptables controls whether or not
traffic going across a Linux host bridge device will be sent through
iptables, but the rules created by nwfilter are applied to the "vnetX"
tap devices that connect the guest to the
2019 Nov 04
2
It takes long time to start kvm virtual machine with nwfilter in docker container.
1. It takes minutes to start the virtual machine when I add "filterref" to
libvirt.xml and run command "virsh start vm1".
It also takes minutes to destroy the virtual machine.
<interface type="bridge">
<mac address="fa:16:3e:fa:f7:94"/>
<target dev="tap69e948b0-bf"/>
<source bridge="br02"/>
<model
2015 Mar 10
1
Issues with XML validation after upgrade to 1.2.12
After we upgraded to 1.2.12, we've been having issues with libvirt... it
complains that our formerly valid guest definitions are now invalid:
error: Failed to start domain XXXX
error: internal error: Cannot instantiate filter due to unresolvable
variables or unavailable list elements: DHCPSERVER
We looked into this, and found that it's the XML validation that's failing:
# xmllint
2011 Nov 24
2
[PATCH] macvtap: Fix macvtap_get_queue to use rxhash first
It was reported that the macvtap device selects a
different vhost (when used with multiqueue feature)
for incoming packets of a single connection. Use
packet hash first. Patch tested on MQ virtio_net.
Signed-off-by: Krishna Kumar <krkumar2 at in.ibm.com>
---
drivers/net/macvtap.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff -ruNp org/drivers/net/macvtap.c