[libvirt-users] nwfilter and address of network ip address

Dan srwx4096 at gmail.com
Sun May 7 00:09:49 UTC 2017 

On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock at gmail.com> wrote:

> Hi,
>
> I am running a webserver on the libvirt host and would like to add a
> nwfilter such that a VM can access that server. The corresponding iptables
> rule would look like this:
>
> iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1
> --protocol tcp --dport 80 --jump ACCEPT
>
> where the network is using virbr0 and sits at 192.168.122.1. I don't want
> to hardcode the host IP address in the nwfilter so that I can use that
> filter for other networks. Is it possible to reference the host's IP
> address in the filter?
>
> Thanks!
>
> Nick
>
> Hi Nick,

I used to have similar question before too. Not sure if this could be
helpful for you,
Probably just use arp or arpscan. But to be more specific, if the domain
name of the
client (assuming you want to confine HTTP service to only a selected few
clients, e.g.,
192.168.122.1 in your case) is known, you probably could do

$ virsh domiflist DOMAIN

In particular, to get the IP address of a domain, it is something like the
following:

$ for MAC in `virsh domiflist <DOMAIN> | grep -o -E
"([0-9a-f]{2}:){5}([0-9a-f]{2})"` ; do
        arp -e | grep $MAC  | grep -o -P
"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" ;
   done

Alternatively, if the NETWORK name is known, IP addr can be obtained
directly with

$ virsh net-dhcp-leases NETWORK

Another way to the get IP addr, if qemu guest agent is installed on the
client,

$ virsh domifaddr DOMAIN

So that you can pass IP to the XML, and somehow you can trigger the update
of
NWFILTER with some magic, quite a hack.

Or, you could just use client's MAC addr to define the filter:
https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMAC

But I don't think there is direct way to specify a client's domain name in
the NWFILTER XML definition as of now.

P.S. I am new to libvirt, so everything above could be wrong.

Dan

_______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20170506/c251f54b/attachment.htm>

More information about the libvirt-users mailing list