similar to: libvirt nwfilter

Hi, I'm trying to configure nwfilter for KVM, but so far I haven't managed to figure out a working configuration. Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is connected via eth0, part of the external subnet 192.168.17.0/24, and has an additional subnet 192.168.128.160/28 routed to its main address 192.168.17.125. The host's subnet is configured as bridge

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the

I'm trying to accomplish what I had hoped would be a fairly simple filtering of traffic to my VMs, but I'm hitting a snag. The VMs are allowing traffic when I wouldn't expect them to. Host and Guest are both running the same platform: Ubuntu 12.04.4 LTS 0.9.8-2ubuntu17.19 I have a basic bridge enabled on the host: brctl addbr brdg brctl addif brdg eth1 ip link set brdg up The host

Hi guys, I saw this sub-element in http://libvirt.org/firewall.html, there is some confusion, what's the meaning of sub-element <ip address='X.X.X.X'> in <interface type='bridge'> of domain xml? The detail <interface> in domain xml as below: <interface type='bridge'> <mac address='52:54:00:56:44:32'/> <source

Hello, I have a nwfilter that I'm using to ensure that libvirt domains can't spoof IPv6 traffic. It looks like this: <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/> </rule>

On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote: >On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote: >> On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: >> >> > Hi, >> > >> > I am running a webserver on the libvirt host and would like to add a >> > nwfilter such that a VM can access that

On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: > Hi, > > I am running a webserver on the libvirt host and would like to add a > nwfilter such that a VM can access that server. The corresponding iptables > rule would look like this: > > iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 > --protocol tcp --dport 80

On 5/28/2014 10:10 AM, Laine Stump wrote: > On 05/27/2014 02:46 AM, Brian Rak wrote: >> Make sure you have: >> >> /proc/sys/net/bridge/bridge-nf-call-iptables = 1 > That doesn't make sense. bridge-nf-call-iptables controls whether or not > traffic going across a Linux host bridge device will be sent through > iptables, but the rules created by nwfilter are applied

On Tue, Jun 06, 2017 at 11:37:27PM -0300, Thiago Oliveira wrote: > Daniel, > > Are you talking about XML? If yes, could please show us an example? <domain> ... <devices> .... <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'/> </interface> ....

1. It takes minutes to start the virtual machine when I add "filterref" to libvirt.xml and run command "virsh start vm1". It also takes minutes to destroy the virtual machine. <interface type="bridge"> <mac address="fa:16:3e:fa:f7:94"/> <target dev="tap69e948b0-bf"/> <source bridge="br02"/> <model

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've

Dear all, I configure my kvm vm like this: <interface type='bridge'> <mac address='52:54:00:dd:b2:c5'/> <source bridge='nw-vpc-1017'/> <target dev='if-57'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP'

Hello, I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac

After we upgraded to 1.2.12, we've been having issues with libvirt... it complains that our formerly valid guest definitions are now invalid: error: Failed to start domain XXXX error: internal error: Cannot instantiate filter due to unresolvable variables or unavailable list elements: DHCPSERVER We looked into this, and found that it's the XML validation that's failing: # xmllint

Hello! Since i could not find any information on the internet about this subject, i'm going to try my luck on this list. I'm trying to setup network-filter on a routed setup. I have a root-server at Hetzner, a german hosting provider. Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my virtual machines (KVM). My Server is running Ubuntu 12.04 with

Hello all! I try to use network filters for openvswitch interfaces.  This is the xml configuration of my bridge interface <interface type='bridge'>    <mac address='00:11:22:33:44:55'/>    <source bridge='virbr1'/>    <virtualport type='openvswitch'>         <parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/>   

I'm trying to determine if it's possible to edit/attach/apply nwfilter rules at runtime? I.e., after a VM is already running, can I apply a nwfilter to the VM and have it work without rebooting the machine? Thus far, I've not come across a way to do so, but I thought I'd ask here before I chase my tail around Google. Thanks! -- Andre Goree -=-=-=-=-=- Email - andre at

Hi I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt is not creating ebtables rules against arp spoofing etc. Here are my configs: VM definition: <domain type='xen'> <uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid> <name>instance-00000168</name> <memory>2097152</memory> <os>

Looking at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering#sect-Applying_network_filtering-Usage_of_variables_in_filters, it sounds like the preferred approach is to use something like: <filter name='no-ipv6-spoofing' chain='ipv6-ip'

Make sure you have: /proc/sys/net/bridge/bridge-nf-call-iptables = 1 On 5/26/2014 1:35 PM, Matt LaPlante wrote: > I'm trying to accomplish what I had hoped would be a fairly simple > filtering of traffic to my VMs, but I'm hitting a snag. The VMs are > allowing traffic when I wouldn't expect them to. > > Host and Guest are both running the same platform: > Ubuntu