Hello,
I'm recently stumbled over the libvirt network filter capabilities and
got pretty excited. Unfortunately I'm not able to get the the
"clean-traffic" filterset working. I'm using a freshly installed Debian
Stretch with libvirt, qemu and KVM.
My config snippet looks as follows:
sudo virsh edit <VM>
[...]
<interface type='bridge'>
<mac address='52:54:00:0c:14:07'/>
<source bridge='br0'/>
<model type='virtio'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='10.10.1.2'/>
</filterref>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
<interface type='bridge'>
<mac address='52:54:00:0c:24:17'/>
<source bridge='br1'/>
<model type='virtio'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='172.16.1.2'/>
</filterref>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
[...]
I restarted the VM from within the VM, did a "virsh reboot <VM>",
restarted libvirtd and even did a reboot of the host - just to be sure.
Unfortunately neither "iptables -L" nor "ebtables --list" show any
entries added by libvirt. Also omitting the "parameter name='IP'" part
didn't change anything.
There are no error messages in /var/log/syslog nor in
/var/log/libvirt/qemu/<VM>
My main references were:
https://libvirt.org/firewall.html
https://libvirt.org/formatnwfilter.html
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering
https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/
Any help really would be much appreciated!
Thanks a lot!
Sam
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
