<div dir="ltr"> <div class="gmail_extra"> <div class="gmail_quote">2013/9/2 Jiaan Zeng <<a href="mailto:l.allen09@gmail.com" target="_blank">l.allen09@gmail.com</a>> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> Hi All, I am new to libvirt and encounter a strange problem to set up network filter in a NAT network. I launched VMs in a single host using NAT, i.e. interface type='network'. Now I want to control the outbound traffic from VM instance - only allow the VM to asses a set of ip addresses. My network filter xml is as follows. The problem is once I change the VM xml, shutdown and start VM, VM cannot get ip address. /var/log/libvirt/libvirt.log shows " error : virNetDevGetIndex:656 : Unable to get index for interface vnet2: No such device" error. But when I remove the drop rule in the filter xml, VM can get IP address. I even tried the clean-traffic filter shipped with libvirt. VM throws the same error above. Any idea why this happens? How can I implement outbound traffic control in libvirt? Thanks a lot. <filter name='filter-test'> <rule action='accept' direction='in' priority='500'> <tcp dstportstart='22'/> </rule> <rule action='accept' direction='out' priority='500'> <ip dstipaddr='IP1'/> </rule> <rule action='accept' direction='out' priority='500'> <ip dstipaddr='IP2'/> </rule> <rule action='drop' direction='out' priority='500'> <all/> </rule> </filter> The VM network section XML looks like this <interface type='network'> <mac address='52:54:00:0d:f1:ce'/> <source network='default'/> <filterref filter='filter-test'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> </blockquote><div>hello,perhaps this blog post will help you :-).</div></div></div></div>