Nakta wrote:
> libvirts nwfilter module can achieve that.
I read over those resources and I did what I thought would be correct,
but it's not having any effect.
I created a new nwfilter like this:
<filter name='allow-virbr2-vpn' chain='ipv4' priority='-700'>
<rule action='accept' direction='in' priority='500'>
<all state='ESTABLISHED'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='ESTABLISHED,RELATED'/>
</rule>
<rule action='accept' direction='in' priority='100'>
<ip dstipaddr='192.168.8.0' dstipmask='24'/>
</rule>
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='192.168.8.0' srcipmask='24'/>
</rule>
<rule action='drop' direction='inout' priority='500'>
<all/>
</rule>
</filter>
I then associated that filter with the Interface device on the VM
server within KVM... and shutdown/restart that VM.
<interface type='network'>
<mac address='XX:XX:XX:XX:XX:XX'/>
<source network='locservers'/>
<model type='virtio'/>
<filterref filter='allow-virbr2-vpn'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
After this, nothing happens. I did 'ebtables --list', and the new
rules aren't there. I also did the same with iptables as well as
firewalld itself. The new rules are nowhere to be found.
What did I do incorrectly here?
Thanks!
-JK
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
