Re: Passing multiple addresses with masks to nwfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Looking at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering#sect-Applying_network_filtering-Usage_of_variables_in_filters, it sounds like the preferred approach is to use something like:

<filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'>
  <rule action="" direction='out' priority='500'>
    <ipv6 srcipaddr='$IPV6[@1]' srcipmask='$IPV6_MASK[@1]'/>
  </rule>
  <rule action="" direction='out' priority='1000'/>
</filter>


The documentation reads:

Assign concrete values to SRCIPADDRESSES and DSTPORTS as shown:

SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
DSTPORTS = [ 80, 8080 ]

But I'm not sure how to pass through an array of <parameter>s in the filterref. Is this possible?



On Wed, Jan 1, 2020 at 12:39 PM Brooks Swinnerton <bswinnerton@xxxxxxxxx> wrote:
Hello,

I have a nwfilter that I'm using to ensure that libvirt domains can't spoof IPv6 traffic. It looks like this:

<filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'>
  <rule action="" direction='out' priority='500'>
    <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/>
  </rule>
  <rule action="" direction='out' priority='1000'/>
</filter>


The goal is to allow any traffic coming from the entire prefix (e.g. 2001:db8::/32). This theoretically would work fine when passing in the variables from the domain definition like so:

<filterref filter='no-ipv6-spoofing'>
  <parameter name='IPV6' value='2001:db8:1:6:dc:d2ff:fef2:2181'/>
  <parameter name='IPV6_MASK' value='32'/>
</filterref>


But the problem comes when wanting to allow multiple prefixes (and thus multiple $IPV6 and $IPV6_MASK variables). If there is more than one definition of $IPV6, how could I associate it with a corresponding $IPV6_MASK?

Ideally I would be able to pass an address in CIDR notation directly to srcipaddr, but I don't believe that's an option.

Any guidance would be appreciated. The ultimate goal is to automate this process, so having something like $IPV6_1 and $IPV6_1 would be less than ideal.
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users

[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux