[libvirt-users] how to setup network filter
Jiaan Zeng
l.allen09 at gmail.com
Mon Sep 2 02:34:57 UTC 2013
Hi All,
I am new to libvirt and encounter a strange problem to set up network
filter in a NAT network.
I launched VMs in a single host using NAT, i.e. interface
type='network'. Now I want to control the outbound traffic from VM
instance - only allow the VM to asses a set of ip addresses. My
network filter xml is as follows. The problem is once I change the VM
xml, shutdown and start VM, VM cannot get ip address.
/var/log/libvirt/libvirt.log shows " error : virNetDevGetIndex:656 :
Unable to get index for interface vnet2: No such device" error.
But when I remove the drop rule in the filter xml, VM can get IP
address. I even tried the clean-traffic filter shipped with libvirt.
VM throws the same error above.
Any idea why this happens? How can I implement outbound traffic
control in libvirt? Thanks a lot.
<filter name='filter-test'>
<rule action='accept' direction='in' priority='500'>
<tcp dstportstart='22'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<ip dstipaddr='IP1'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<ip dstipaddr='IP2'/>
</rule>
<rule action='drop' direction='out' priority='500'>
<all/>
</rule>
</filter>
The VM network section XML looks like this
<interface type='network'>
<mac address='52:54:00:0d:f1:ce'/>
<source network='default'/>
<filterref filter='filter-test'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
--
Regards,
Jiaan
More information about the libvirt-users
mailing list