similar to: Problems getting nwfilter to work

Nakta wrote: > libvirts nwfilter module can achieve that. I read over those resources and I did what I thought would be correct, but it's not having any effect. I created a new nwfilter like this: <filter name='allow-virbr2-vpn' chain='ipv4' priority='-700'> <rule action='accept' direction='in' priority='500'> <all

I'm trying to apply a nwfilter rule for two networks on the same guest interface, like so: ~ # virsh nwfilter-dumpxml 1081532-private-both <filter name='1081532-private-both' chain='root'> <uuid>16004b94-2b62-4568-9467-169908eb4040</uuid> <rule action='accept' direction='in' priority='500'> <ip

Hi, I contact you as i have difficulties to use nwfilter with KVM host. I want to implemente flow filtering between my Linux guests. I created the following filter : cat admin-dmz-internet.xml <filter name='admin-dmz-internet'> <!-- this zone is an SSH ingoing only zone --> <!-- but SSH can go to an other SSH proxy --> <filterref

Looking at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering#sect-Applying_network_filtering-Usage_of_variables_in_filters, it sounds like the preferred approach is to use something like: <filter name='no-ipv6-spoofing' chain='ipv6-ip'

Hi, Libvirt's nwfilter ships a number of useful filter scripts by default, but none to handle IPv6 traffic. Is there a particular reason for that, or is that just because nobody has got around to that yet? One interesting thing about dealing with IPv6 traffic is that hosts often have several auto-configured addresses, usually at least one auto-configured link- local address under

Hello, I have a nwfilter that I'm using to ensure that libvirt domains can't spoof IPv6 traffic. It looks like this: <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'> <rule action='return' direction='out' priority='500'> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/> </rule>

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote: > Hi Ales, > > I would like to prevent the guests from different subnets start a > communication. In other words I have the subnet 192.168.1.0/24 and > 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with > guests on 192.168.2.0/24 at the same host. Is this possible using a

Hi All, I have two kvm guests running with a bridged configuration bound separately to br0 and br1 on my Fedora 15 host. I'm attempting to create some nwfilter rules on br1 and am running into a bunch of problems that have me scratching my head. libvirt version: 0.8.8-7 What I've noticed on the second host is as follows: - Most all nwfilter rules that I create for the host on br1

I have the need to modify the behavior of the virtual network driver's behavior and how it deals with routed networks. I'm running libvirt-0.8.3-2.fc14. According to http://libvirt.org/firewall.html, the following is automatically added to the FORWARD chain of iptables when a network type of "routed" is started up: "Allow inbound, but only to our expected subnet.

i test the following simple filter <filter name='nwfilter-test-fedora2' chain='root'> <uuid>ccbd255f-4be5-4f0f-8835-770ea40cb2c9</uuid> <rule action='accept' direction='out' priority='500'> <tcp dstipaddr='10.1.24.0' dstipmask='24' comment='test test test'/> </rule> </filter> but i

Hi, I'm trying to configure nwfilter for KVM, but so far I haven't managed to figure out a working configuration. Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is connected via eth0, part of the external subnet 192.168.17.0/24, and has an additional subnet 192.168.128.160/28 routed to its main address 192.168.17.125. The host's subnet is configured as bridge

On 5/28/2014 10:10 AM, Laine Stump wrote: > On 05/27/2014 02:46 AM, Brian Rak wrote: >> Make sure you have: >> >> /proc/sys/net/bridge/bridge-nf-call-iptables = 1 > That doesn't make sense. bridge-nf-call-iptables controls whether or not > traffic going across a Linux host bridge device will be sent through > iptables, but the rules created by nwfilter are applied

Hi, I met a problem when using bridge with netfilter. The kernel version 2.4.20, and the patch is bridge-nf-0.0.10-against-2.4.20.diff. Our firewall configuration is as follows, eth3,eth4,eth5,eth6 configured as a bridge with an IP address 10.0.0.1. The local net connect to the internet via the gateway 10.0.0.1 and SNAT is applied on the firewall. It worked but sometimes there are some

On 03/30/2018 04:29 PM, Andre Goree wrote: > On 2018/02/16 12:12 pm, Daniel P. Berrang? wrote: >> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >>> I'm trying to determine if it's possible to edit/attach/apply >>> nwfilter rules >>> at runtime?? I.e., after a VM is already running, can I apply a >>> nwfilter to >>> the VM

[Please keep the list CC-ed as it may help somebody from future when searching for solution to the same problem] On 5/6/19 6:08 PM, nakata@geekpit.org wrote: > Am 2019-05-06 16:26, schrieb Michal Privoznik: >> On 5/6/19 3:44 PM, nakata@geekpit.org wrote: >>> Hi, >>> >>> i want to disable the nwfilter functionality of libvirt. >>> It's surely nice

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've

On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote: > On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: >> I'm trying to determine if it's possible to edit/attach/apply nwfilter >> rules >> at runtime? I.e., after a VM is already running, can I apply a >> nwfilter to >> the VM and have it work without rebooting the machine? Thus far, I've

On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote: > I'm trying to determine if it's possible to edit/attach/apply nwfilter rules > at runtime? I.e., after a VM is already running, can I apply a nwfilter to > the VM and have it work without rebooting the machine? Thus far, I've not > come across a way to do so, but I thought I'd ask here before I chase my

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the

On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote: > Hi, > > I am running a webserver on the libvirt host and would like to add a > nwfilter such that a VM can access that server. The corresponding iptables > rule would look like this: > > iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 > --protocol tcp --dport 80