[libvirt-users] how to setup network filter
Gao Yongwei
itxx00 at gmail.com
Tue Sep 10 15:15:23 UTC 2013
2013/9/2 Jiaan Zeng <l.allen09 at gmail.com>
> Hi All,
>
> I am new to libvirt and encounter a strange problem to set up network
> filter in a NAT network.
>
> I launched VMs in a single host using NAT, i.e. interface
> type='network'. Now I want to control the outbound traffic from VM
> instance - only allow the VM to asses a set of ip addresses. My
> network filter xml is as follows. The problem is once I change the VM
> xml, shutdown and start VM, VM cannot get ip address.
> /var/log/libvirt/libvirt.log shows " error : virNetDevGetIndex:656 :
> Unable to get index for interface vnet2: No such device" error.
>
> But when I remove the drop rule in the filter xml, VM can get IP
> address. I even tried the clean-traffic filter shipped with libvirt.
> VM throws the same error above.
>
> Any idea why this happens? How can I implement outbound traffic
> control in libvirt? Thanks a lot.
>
> <filter name='filter-test'>
> <rule action='accept' direction='in' priority='500'>
> <tcp dstportstart='22'/>
> </rule>
> <rule action='accept' direction='out' priority='500'>
> <ip dstipaddr='IP1'/>
> </rule>
> <rule action='accept' direction='out' priority='500'>
> <ip dstipaddr='IP2'/>
> </rule>
> <rule action='drop' direction='out' priority='500'>
> <all/>
> </rule>
> </filter>
>
> The VM network section XML looks like this
>
> <interface type='network'>
> <mac address='52:54:00:0d:f1:ce'/>
> <source network='default'/>
> <filterref filter='filter-test'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
> </interface>
>
hello,perhaps this blog post will help you :-).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130910/37a25582/attachment.htm>
More information about the libvirt-users
mailing list