Displaying 20 results from an estimated 4000 matches similar to: "Network filters with clean-traffic not working on Debian Stretch"
2018 Dec 29
1
Re: Network filters with clean-traffic not working on Debian Stretch
Dear Yalang,
that did the trick. If I look in the NAT table of the bridge I can see
the generated rules. Probably wouldn't have though about that ever.
Thanks a lot!
Best
Sam
On 29.12.18 06:51, Yalan Zhang wrote:
> Hi Sam,
>
> You can find the rules by below command, and it looks as below:
> # ebtables -t nat --list
> Bridge table: nat
>
> Bridge chain: PREROUTING,
2018 Dec 29
0
Re: Network filters with clean-traffic not working on Debian Stretch
Hi Sam,
You can find the rules by below command, and it looks as below:
# ebtables -t nat --list
Bridge table: nat
Bridge chain: PREROUTING, entries: 2, policy: ACCEPT
-j PREROUTING_direct
-i vnet0 -j libvirt-I-vnet0
Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-j OUTPUT_direct
Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT
-j POSTROUTING_direct
-o vnet0 -j libvirt-O-vnet0
Bridge
2013 Jul 08
6
Getting nwfilter to work on Debian Wheezy
Hi,
I'm trying to configure nwfilter for KVM, but so far I haven't managed
to figure out a working configuration.
Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is
connected via eth0, part of the external subnet 192.168.17.0/24, and has
an additional subnet 192.168.128.160/28 routed to its main address
192.168.17.125.
The host's subnet is configured as bridge
2010 Jun 30
0
FYI: a short guide to libvirt & network filtering iptables/ebtables use
I just wrote this to assist some Red Hat folks understanding
what libvirt does with iptables, and thought it is useful info
for the whole libvirt community. When I have time I'll adjust
this content so that it can fit into the website in relevant
pages/places.
Firewall / network filtering in libvirt
=======================================
There are three pieces of libvirt
2014 May 28
3
Re: nwfilter usage
On 05/27/2014 02:46 AM, Brian Rak wrote:
> Make sure you have:
>
> /proc/sys/net/bridge/bridge-nf-call-iptables = 1
That doesn't make sense. bridge-nf-call-iptables controls whether or not
traffic going across a Linux host bridge device will be sent through
iptables, but the rules created by nwfilter are applied to the "vnetX"
tap devices that connect the guest to the
2014 Apr 30
3
virsh update-device: need to clear network filters
Hi,
Can anyone please help with the following: I have a running instance with
interface
<interface type='bridge'>
<mac address='fa:16:3e:ba:a4:67'/>
<source bridge='br100/>
<target dev='vnet0'/>
<model type='virtio'/>
<filterref filter='nova-instance-instance-00000001-fa163ebaa467'/>
What's the meaning of sub-element <ip address='X.X.X.X'> in <interface type='bridge'> of domain xml?
2014 Apr 17
2
What's the meaning of sub-element <ip address='X.X.X.X'> in <interface type='bridge'> of domain xml?
Hi guys,
I saw this sub-element in http://libvirt.org/firewall.html, there is some confusion, what's the meaning of sub-element <ip address='X.X.X.X'> in <interface type='bridge'> of domain xml?
The detail <interface> in domain xml as below:
<interface type='bridge'>
<mac address='52:54:00:56:44:32'/>
<source
2013 Oct 16
2
libvirtError: Unable to add bridge br0 port vnet0: Operation not supported
Hi
I am using Libvirt 1.1.2 with Openstack Havana (RC2, nova-network) and
openvswitch 1.4.2+git20120612-9.1. Libvirt vif driver (
nova.virt.libvirt.vif.LibvirtGenericVIFDriver) generates config likes this:
<interface type='bridge'>
<mac address='fa:16:3e:44:30:a4'/>
<source bridge='br0'/>
<model type='virtio'/>
2018 Jun 28
4
East-west traffic network filter
Hello,
I would like to make filter that allows communication only between
specified VMs. Those VMs should be specified by their MAC address. The
filter should extend clean-traffic but I was not able to get it working
with that reference. I have came up with modified clean-traffic which works
fine [1]. Is there a way to achieve the same behavior with reference to
clean-traffic?
Thank you.
Best
2018 Jul 02
1
Re: East-west traffic network filter
On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com>
wrote:
> Hi Ales,
>
> I would like to prevent the guests from different subnets start a
> communication. In other words I have the subnet 192.168.1.0/24 and
> 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with
> guests on 192.168.2.0/24 at the same host. Is this possible using a
2014 May 26
2
nwfilter usage
I'm trying to accomplish what I had hoped would be a fairly simple
filtering of traffic to my VMs, but I'm hitting a snag. The VMs are
allowing traffic when I wouldn't expect them to.
Host and Guest are both running the same platform:
Ubuntu 12.04.4 LTS
0.9.8-2ubuntu17.19
I have a basic bridge enabled on the host:
brctl addbr brdg
brctl addif brdg eth1
ip link set brdg up
The host
2020 Apr 17
2
CentO 8 and nftables default policy
Hi list,
I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled
firewalld. I noticed that a default policy is created with tables and
chains probably for firewalld.
So I created a .nft script where I stored my rules with a flush for
previous ruleset, then saved on /etc/sysconfig/nftables.conf and the
enabled nftables service.
Running the script with nft -f script.nft all
2015 Apr 26
3
How does the libvirt deal with the vnet mac address
How does the libvirt deal with the vnet mac address?
Greetings,
if I establish a network for the VM (hypervisor is KVM) using bridge in the virt-manager , a vnet0 device is created . There are some relationships about mac address between the vnet0 device in the hypervisor and the ethX device in the VM, for example :
the mac address of vnet0 is FE:54:00:84:E3:62
the mac address of ethX in the VM
2020 Apr 18
1
CentO 8 and nftables default policy
I had the same problem.
If you are not using virtual machines then
# systemctl disable libvirtd
works and is easily reversible.
Alan
On 18/04/2020 23:03, Alessandro Baggi wrote:
> Il 17/04/20 11:01, Alessandro Baggi ha scritto:
>> Hi list,
>>
>> I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled
>> firewalld. I noticed that a default
2012 Mar 11
3
NFS4 over tinc hangs
Hello,
I am experiencing system hangs when running NFSv4 over a tinc VPN. I
don't know if the problem is with NFS or tinc and would appreciate any
suggestions on how to narrow down the culprit. Unfortunately I cannot
simply run NFS directly over TCP -- the participating systems are
connected only over an open network.
The configuration is as follows: I have a master server
2015 Apr 27
2
Re: How does the libvirt deal with the vnet mac address
On 04/27/2015 04:59 AM, Daniel P. Berrange wrote:
> On Sun, Apr 26, 2015 at 10:51:34AM +0800, wh.h@foxmail.com wrote:
>> How does the libvirt deal with the vnet mac address?
>>
>> Greetings,
>> if I establish a network for the VM (hypervisor is KVM) using bridge in
>> the virt-manager , a vnet0 device is created . There are some relationships
>> about mac
2014 Aug 11
1
IP/MAC antispoof-protection
Hi all.
What right way to protect ip/mac spoofing for guests withnount dhcp and
other 1 ip per guest?
2020 Jan 01
2
Passing multiple addresses with masks to nwfilter
Hello,
I have a nwfilter that I'm using to ensure that libvirt domains can't spoof
IPv6 traffic. It looks like this:
<filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'>
<rule action='return' direction='out' priority='500'>
<ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/>
</rule>
2013 Nov 19
2
macvtap direct and ip spoofing
Hi there. I have configured kvm domain (rhel6.4) with ethernet bridged over
macvtap, and found no filtration applied except mac. 'virsh' just silently
ignoring attributes 'filterref' and 'ip address' in different formats. No
error on validate stage. Config examples:
...
<interface type='direct'>
<mac address='52:54:00:31:ae:1a'/>
2007 Aug 06
3
how do I use shorewall to protect server from ARP spoofing attack ?
My firewall is using shorewall 3.0.x and CentOS
Recently, I found that firewall is attaching from ARP spoofing..
There are a lot of "out of socket memory" in messages log
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and