similar to: NWFilter mac address matches chain

On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: > Hi, > > I am running a webserver on the libvirt host and would like to add a > nwfilter such that a VM can access that server. The corresponding iptables > rule would look like this: > > iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 > --protocol tcp --dport 80

On 5/28/2014 10:10 AM, Laine Stump wrote: > On 05/27/2014 02:46 AM, Brian Rak wrote: >> Make sure you have: >> >> /proc/sys/net/bridge/bridge-nf-call-iptables = 1 > That doesn't make sense. bridge-nf-call-iptables controls whether or not > traffic going across a Linux host bridge device will be sent through > iptables, but the rules created by nwfilter are applied

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the

On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote: >On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote: >> On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: >> >> > Hi, >> > >> > I am running a webserver on the libvirt host and would like to add a >> > nwfilter such that a VM can access that

On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote: > On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: > > > Hi, > > > > I am running a webserver on the libvirt host and would like to add a > > nwfilter such that a VM can access that server. The corresponding iptables > > rule would look like this: > > > > iptables

On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock wrote: > On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote: > > On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote: > > > On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: > > > > > > > Hi, > > > > > > > > I am running a webserver

To take advantage of the filters, is it as simple as adding these couple of lines in a guest's xml file like the example from https://libvirt.org/formatnwfilter.html#nwfconcepts ? <devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP'

Let's say I have some iptables rules defined to restrict guest traffic. If I restart the hosts firewall 'service iptables restart', all the guest-specific rules get blown away. Is there a way to reapply all the guest firewall rules, without restarting each individual guest? It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes and reapplies the rules to all the

On 04/17/2014 10:42 AM, Jianwei Hu wrote: > Hi guys, > > I saw this sub-element in http://libvirt.org/firewall.html, there is some confusion, what's the meaning of sub-element <ip address='X.X.X.X'> in <interface type='bridge'> of domain xml? > > The detail <interface> in domain xml as below: > <interface type='bridge'> >

Hi, I'm trying to configure nwfilter for KVM, but so far I haven't managed to figure out a working configuration. Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is connected via eth0, part of the external subnet 192.168.17.0/24, and has an additional subnet 192.168.128.160/28 routed to its main address 192.168.17.125. The host's subnet is configured as bridge

On 03/30/2018 04:29 PM, Andre Goree wrote: > On 2018/02/16 12:12 pm, Daniel P. Berrang? wrote: >> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >>> I'm trying to determine if it's possible to edit/attach/apply >>> nwfilter rules >>> at runtime?? I.e., after a VM is already running, can I apply a >>> nwfilter to >>> the VM

[Please keep the list CC-ed as it may help somebody from future when searching for solution to the same problem] On 5/6/19 6:08 PM, nakata@geekpit.org wrote: > Am 2019-05-06 16:26, schrieb Michal Privoznik: >> On 5/6/19 3:44 PM, nakata@geekpit.org wrote: >>> Hi, >>> >>> i want to disable the nwfilter functionality of libvirt. >>> It's surely nice

I'm trying to accomplish what I had hoped would be a fairly simple filtering of traffic to my VMs, but I'm hitting a snag. The VMs are allowing traffic when I wouldn't expect them to. Host and Guest are both running the same platform: Ubuntu 12.04.4 LTS 0.9.8-2ubuntu17.19 I have a basic bridge enabled on the host: brctl addbr brdg brctl addif brdg eth1 ip link set brdg up The host

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've

Hi, libvirts nwfilter module can achieve that. I'm currently working on opt-out patches to disable that functionality if wished. I also don't use firewalld. It's both paternalizing and annoying and takes away user flexilibity in exchange for nothing. anyways Check the nwfilter page to write own filters for the beginning: https://libvirt.org/formatnwfilter.html#nwfwrite some

On 02/08/2016 04:20 PM, Andre Goree wrote: > On 01/11/2016 3:05 pm, Laine Stump wrote: >> On 01/11/2016 02:25 PM, Andre Goree wrote: >>> >>> I have some questions regarding the way that networking is handled >>> via qemu/kvm+libvirt -- my apologies in advance if this is not the >>> proper mailing list for such a question. >>> >>>

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've

On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: > I'm trying to determine if it's possible to edit/attach/apply nwfilter rules > at runtime? I.e., after a VM is already running, can I apply a nwfilter to > the VM and have it work without rebooting the machine? Thus far, I've not > come across a way to do so, but I thought I'd ask here before I chase my

Gluster devs, I found the message below in the archives. glfs-health.sh is not included in the v3.0.3 sources - is there any plan to add this to the "extras" directory? What's its status? Ian == snip == Raghavendra G Mon, 22 Feb 2010 20:20:33 -0800 Hi all, Here is some work related to Health monitoring. glfs-health.sh is a shell script to check the health of glusterfs.

I just wrote this to assist some Red Hat folks understanding what libvirt does with iptables, and thought it is useful info for the whole libvirt community. When I have time I'll adjust this content so that it can fit into the website in relevant pages/places. Firewall / network filtering in libvirt ======================================= There are three pieces of libvirt