[libvirt-users] libvirt nwfilter
Laine Stump
laine at laine.org
Fri May 1 20:31:18 UTC 2015
On 05/01/2015 04:13 PM, drift at ruggedinbox.com wrote:
> To take advantage of the filters, is it as simple as adding these
> couple of lines in a guest's xml file like the example from
> https://libvirt.org/formatnwfilter.html#nwfconcepts ?
>
> <devices>
> <interface type='bridge'>
> <mac address='00:16:3e:5d:c7:9e'/>
> <filterref filter='clean-traffic'>
> <parameter name='IP' value='10.0.0.1'/>
> </filterref>
> </interface>
> </devices>
Yes. Alternately, you can replace the <parameter> line above with:
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
and if the guest is using dhcp to get an IP address, libvirt will notice
that and automatically use whatever IP address is assigned.
>
> Can multiple filters be combined together like this?
>
> <filterref filter='clean-traffic' filter='no-ip-multicast'>
> <parameter name='IP' value='10.0.0.1'/>
> </filterref>
No. To use multiple filters, you need to define your own nwfilter rule
that references multiple rules, then reference that single new rule from
the <interface> config.
This is a really good reference for nwfilter:
https://libvirt.org/formatnwfilter.html
>
> Can the IP address parameter override the one in
> /etc/network/interfaces on the guest?
nwfilter just filters traffic with the given IP address. It doesn't tell
the guest what address to try and use, just sets up filters based on the
IP address you tell it (and in the case of the clean-traffic rule, it
prevents the guest from using any other IP address).
>
>
> When cloning a vm does it change the ip to avoid conflicts like it
> would with mac-addresses?
No. A management application on the host doesn't necessarily even know
the IP address that will be configured in the guest. Of course if the
guests are using dhcp, and you set the CTRL_IP_LEARNING parameter
instead of a fixed IP address, then you've achieved what you wanted.
More information about the libvirt-users
mailing list