similar to: Re: nwfilter and address of network ip address

On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote: >On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote: >> On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: >> >> > Hi, >> > >> > I am running a webserver on the libvirt host and would like to add a >> > nwfilter such that a VM can access that

On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock wrote: > On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote: > > On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote: > > > On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: > > > > > > > Hi, > > > > > > > > I am running a webserver

On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote: > On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: > > > Hi, > > > > I am running a webserver on the libvirt host and would like to add a > > nwfilter such that a VM can access that server. The corresponding iptables > > rule would look like this: > > > > iptables

To take advantage of the filters, is it as simple as adding these couple of lines in a guest's xml file like the example from https://libvirt.org/formatnwfilter.html#nwfconcepts ? <devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP'

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the

Hi, I'm trying to configure nwfilter for KVM, but so far I haven't managed to figure out a working configuration. Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is connected via eth0, part of the external subnet 192.168.17.0/24, and has an additional subnet 192.168.128.160/28 routed to its main address 192.168.17.125. The host's subnet is configured as bridge

Hi guys, I saw this sub-element in http://libvirt.org/firewall.html, there is some confusion, what's the meaning of sub-element <ip address='X.X.X.X'> in <interface type='bridge'> of domain xml? The detail <interface> in domain xml as below: <interface type='bridge'> <mac address='52:54:00:56:44:32'/> <source

I'm trying to accomplish what I had hoped would be a fairly simple filtering of traffic to my VMs, but I'm hitting a snag. The VMs are allowing traffic when I wouldn't expect them to. Host and Guest are both running the same platform: Ubuntu 12.04.4 LTS 0.9.8-2ubuntu17.19 I have a basic bridge enabled on the host: brctl addbr brdg brctl addif brdg eth1 ip link set brdg up The host

hello,i got a error message when use virsh attach-interface for a vm: first, list the vm's interface,there's no interface now. virsh # domiflist ubuntum-124 Interface Type Source Model MAC ------------------------------------------------------- then,i did an attach-interface action: virsh # attach-interface ubuntum-124 bridge br0 --persistent Interface attached

The documentation indicates ( via http://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMAC ) that <mac> rule types should go in the 'root' chain, however one of the example rules ( from http://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=examples/xml/nwfilter/no-mac-broadcast.xml;hb=HEAD ) has the mac address match in the ipv4 chain. Which is the correct chain for these?

Hello All- I've looked in several places and haven't found an answer to this question: is it possible to have libvirt add custom rules to iptables for virtual network interfaces? I took a look at the "Firewall and Network Filtering in Libvirt" page and it seems overly complicated for what I want to do. Given an interface virbr2 and its network 192.168.4.0/24, libvirt installs

On 01/11/2016 3:05 pm, Laine Stump wrote: > On 01/11/2016 02:25 PM, Andre Goree wrote: >> >> I have some questions regarding the way that networking is handled via >> qemu/kvm+libvirt -- my apologies in advance if this is not the proper >> mailing list for such a question. >> >> >> I am trying to determine how exactly I can manipulate traffic from

Hi, i want to disable the nwfilter functionality of libvirt. It's surely nice for some people, nevertheless i don't want libvirt to alter any netfilter rules, neither i want the according functionality even available. I know about nwfilter-undefine, but what i'm looking for is an option to globally disable this functionality at all. Some config flag or similar. How can i achieve

I'm trying to determine if it's possible to edit/attach/apply nwfilter rules at runtime? I.e., after a VM is already running, can I apply a nwfilter to the VM and have it work without rebooting the machine? Thus far, I've not come across a way to do so, but I thought I'd ask here before I chase my tail around Google. Thanks! -- Andre Goree -=-=-=-=-=- Email - andre at

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've

I have some questions regarding the way that networking is handled via qemu/kvm+libvirt -- my apologies in advance if this is not the proper mailing list for such a question. I am trying to determine how exactly I can manipulate traffic from a _guest's_ NIC using iptables on the _host_. On the host, there is a bridged virtual NIC that corresponds to the guest's NIC. That interface

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've

Hi @all, I'm having trouble to realize my use case and hope somebody could help me. # Use case For a home lab I want to deploy several guest domains. These domains must not have a direct or NAT connection to the internet or my LAN. They should only be able to reach my LAN and the internet through a proxy. # What I've done I've created the following virtual switch in isolated

Let's say I have some iptables rules defined to restrict guest traffic. If I restart the hosts firewall 'service iptables restart', all the guest-specific rules get blown away. Is there a way to reapply all the guest firewall rules, without restarting each individual guest? It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes and reapplies the rules to all the

I'm trying to apply a nwfilter rule for two networks on the same guest interface, like so: ~ # virsh nwfilter-dumpxml 1081532-private-both <filter name='1081532-private-both' chain='root'> <uuid>16004b94-2b62-4568-9467-169908eb4040</uuid> <rule action='accept' direction='in' priority='500'> <ip