similar to: Networkfilters in Routed setup

On 02/14/2014 08:40 PM, h0rst wrote: > Hello! > > Since i could not find any information on the internet about this subject, i'm going to try my luck on this list. > > I'm trying to setup network-filter on a routed setup. I have a root-server at Hetzner, a german hosting provider. > Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my

On Di, 2014-02-18 at 12:03 +0200, Laine Stump wrote: > You *really* should upgrade to a newer libvirt. I know that version 0.9.8 is very old. But to be honest i tried to avoid upgrading and compiling a newer version since i don't know if it has any effects on running VMs (but i haven't checked this yet). Its a production server and i did not want to interrupt any services running on

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the

Hi, I'm trying to configure nwfilter for KVM, but so far I haven't managed to figure out a working configuration. Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is connected via eth0, part of the external subnet 192.168.17.0/24, and has an additional subnet 192.168.128.160/28 routed to its main address 192.168.17.125. The host's subnet is configured as bridge

I'm trying to accomplish what I had hoped would be a fairly simple filtering of traffic to my VMs, but I'm hitting a snag. The VMs are allowing traffic when I wouldn't expect them to. Host and Guest are both running the same platform: Ubuntu 12.04.4 LTS 0.9.8-2ubuntu17.19 I have a basic bridge enabled on the host: brctl addbr brdg brctl addif brdg eth1 ip link set brdg up The host

On Di, 2014-02-18 at 16:06 -0700, Eric Blake wrote: > There should be no problem upgrading to a newer libvirt. We take great > pains to ensure that a newer version of libvirt can be reloaded and > gracefully understand the XML recorded by older versions, with no loss > to running VMs. While there have been bugs on this front, they get > caught and patched quickly, so by updating

On 02/19/2014 08:47 AM, h0rst wrote: > >>>> 2014-02-19 14:11:58.636+0000: 7075: error : virCommandWait:2376 : internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOME=/root USER=root LOGNAME=root /usr/sbin/dnsmasq --version) unexpected exit status 1: libvirt: error : cannot execute binary /usr/sbin/dnsmasq: Permission denied

On 5/28/2014 10:10 AM, Laine Stump wrote: > On 05/27/2014 02:46 AM, Brian Rak wrote: >> Make sure you have: >> >> /proc/sys/net/bridge/bridge-nf-call-iptables = 1 > That doesn't make sense. bridge-nf-call-iptables controls whether or not > traffic going across a Linux host bridge device will be sent through > iptables, but the rules created by nwfilter are applied

Hi, Over the past few days I've been trying to get a prototype working of a stateful firewall for a Virtual Machine using Libvirt's network filters. My goal is to replace the current custom Python/Java code in the Apache CloudStack [0] project by Network Filters of Libvirt. Both IPv4 and IPv6 should work, but I started off with IPv4 and I have issues with accepting back

Hello, I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac

Hi, I am trying to prevent my qemu guest machines from sending IPv6 router advertisements over their network device. To that end, I have written this filter definition: <filter name='no-ipv6-router-advertisement' chain='root' priority='-690'> <rule action='drop' direction='out' priority='600'> <icmpv6 type='134'/>

On Wed, Feb 18, 2015 at 3:10 AM, C. L. Martinez <carlopmart at gmail.com> wrote: > On Tue, Feb 17, 2015 at 1:43 PM, Sven Kieske <s.kieske at mittwald.de> wrote: > > > > > > On 17/02/15 09:18, C. L. Martinez wrote: > >> Hi all, > >> > >> How can I stop/disable a nic in a virtual guest using a virsh > >> command?? I am searching

(If this is a double post, I apologize, my email client crashed when I first sent it) I need some help to configure a secure network on my Xen server. I have been looking online and it seems a I need a routed network. But I am having a terrible time implementing it. My setup: Xen 3.4.2 CentOS 5.5 Dom0 1 NIC (eth0) All guests will be HVM What I want to do is something similar to a firewall

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote: > Hi Ales, > > I would like to prevent the guests from different subnets start a > communication. In other words I have the subnet 192.168.1.0/24 and > 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with > guests on 192.168.2.0/24 at the same host. Is this possible using a

Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over macvtap, and found no filtration applied except mac. 'virsh' just silently ignoring attributes 'filterref' and 'ip address' in different formats. No error on validate stage. Config examples: ... <interface type='direct'> <mac address='52:54:00:31:ae:1a'/>

Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best

To take advantage of the filters, is it as simple as adding these couple of lines in a guest's xml file like the example from https://libvirt.org/formatnwfilter.html#nwfconcepts ? <devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP'

Hello, I defined a vm with filterref like: <filterref filter='clean-traffic'> <parameter name='IP' value='192.168.1.161'/> </filterref> and now I need to add another IP parameter for this vm,is there any way to achieve this? thanks.

Hi! I'm aware that (host side) vnetX are created when VM boots. But I'm trying to figure out a way ti create a persistence in vnetX names. What I mean is, say, I want to associate VMs vm0 to vnet0, vm1 to vnet1, vm2 to vnet2 and so forth, no matter which order the VMs are booted. I looked around network XML format, but did't find something... Since I'm using Open vSwitch as