similar to: IP/MAC antispoof-protection

I try to add some rules to filtering network, example <filterref filter='clean-traffic'/> or <filterref filter='no-ip-spoofing'/> and vm not starting with message virsh start freebsd8.2 error: Failed to start domain freebsd8.2 error: internal error IP parameter must be given since libvirt was not compiled with IP address learning support what do I do wrong?

Hello, I have a nwfilter that I'm using to ensure that libvirt domains can't spoof IPv6 traffic. It looks like this: <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/> </rule>

ut 2.4.1 works with megatec_usb driver. It tries to interact with a device in /dev/bus/usb/X/Y, but there are root:root 664 access rights. When I try to set port /dev/hiddev0 with write access in config file, in strace there are no records about accessing /dev/hiddev, but still only /dev/bus/usb/X/Y How to explain such a behavior? execve("./megatec_usb",

Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best

On 10/28/2016 05:30 PM, Michal Privoznik wrote: > On 28.10.2016 14:17, Anton Gorlov wrote: >> 28.10.2016 23:32, Michal Privoznik пишет: >> >> >> On my host node i using system created bridge. example >> >> brctl show br1 >> bridge name bridge id STP enabled interfaces >> br1 8000.0025907925d3 no

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote: > Hi Ales, > > I would like to prevent the guests from different subnets start a > communication. In other words I have the subnet 192.168.1.0/24 and > 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with > guests on 192.168.2.0/24 at the same host. Is this possible using a

Hi folks, I started testing the antispoof feature of xen stable (2.0.7). I am stuck with it. I have setup a standard bridged environment. I understood it like this: in domU config I set up the virtual NIC like vif = [ ''mac=ae:00:00:78:78:78, ip=192.168.0.100'' ] Then I configure /etc/network/interface of this domU to show the same IP address for eth0. After restarting

after I starting battery test on my laptop I see in my logs some error and ups (IPPON Smart Power Pro 1400. usb interface) isn't monitoring now [ippon] driver = megatec_usb port = auto desc = "local" Feb 16 23:22:09 f37 upsd[17150]: Instant command: stlk at 127.0.0.1 did test.battery.start on ippon Feb 16 23:22:12 f37 megatec_usb[17249]: ser_get_line: Device detached? (error

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the

To take advantage of the filters, is it as simple as adding these couple of lines in a guest's xml file like the example from https://libvirt.org/formatnwfilter.html#nwfconcepts ? <devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP'

Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over macvtap, and found no filtration applied except mac. 'virsh' just silently ignoring attributes 'filterref' and 'ip address' in different formats. No error on validate stage. Config examples: ... <interface type='direct'> <mac address='52:54:00:31:ae:1a'/>

I'm trying to accomplish what I had hoped would be a fairly simple filtering of traffic to my VMs, but I'm hitting a snag. The VMs are allowing traffic when I wouldn't expect them to. Host and Guest are both running the same platform: Ubuntu 12.04.4 LTS 0.9.8-2ubuntu17.19 I have a basic bridge enabled on the host: brctl addbr brdg brctl addif brdg eth1 ip link set brdg up The host

Hello all! I try to use network filters for openvswitch interfaces.  This is the xml configuration of my bridge interface <interface type='bridge'>    <mac address='00:11:22:33:44:55'/>    <source bridge='virbr1'/>    <virtualport type='openvswitch'>         <parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/>   

1. It takes minutes to start the virtual machine when I add "filterref" to libvirt.xml and run command "virsh start vm1". It also takes minutes to destroy the virtual machine. <interface type="bridge"> <mac address="fa:16:3e:fa:f7:94"/> <target dev="tap69e948b0-bf"/> <source bridge="br02"/> <model

Hi guys, I saw this sub-element in http://libvirt.org/firewall.html, there is some confusion, what's the meaning of sub-element <ip address='X.X.X.X'> in <interface type='bridge'> of domain xml? The detail <interface> in domain xml as below: <interface type='bridge'> <mac address='52:54:00:56:44:32'/> <source

Hello, I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've

❦ 3 novembre 2016 20:43 +0300, Anton Gorlov <stalker@altlinux.ru> : >> ... but *is* in the status xml (i.e. the output of "visrh dumpxml >> $domain" while the domain is running, and also the xml provided on stdin >> to the qemu and network hooks when they are called). >> >> (also, what Vincent said in his email - names with the prefix

Hello with XEN 3.4.x antispoof=yes works on a bridge setup. I am using this line in xend-config.sxp (network-script ''network-bridge antispoof=yes'') It creates this under IPTABLES FORWARD chain: ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in peth0 Under XEN 4.0.1 it is not working, it does not create a IPTABLES rule. Customers can

Hi, I'm trying to configure nwfilter for KVM, but so far I haven't managed to figure out a working configuration. Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is connected via eth0, part of the external subnet 192.168.17.0/24, and has an additional subnet 192.168.128.160/28 routed to its main address 192.168.17.125. The host's subnet is configured as bridge