[libvirt-users] nwfilter and address of network ip address
Nicolas Bock
nicolasbock at gmail.com
Mon May 8 14:31:43 UTC 2017
Hi Dan,
On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
>On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock at gmail.com> wrote:
>
>> Hi,
>>
>> I am running a webserver on the libvirt host and would like to add a
>> nwfilter such that a VM can access that server. The corresponding iptables
>> rule would look like this:
>>
>> iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1
>> --protocol tcp --dport 80 --jump ACCEPT
>>
>> where the network is using virbr0 and sits at 192.168.122.1. I don't want
>> to hardcode the host IP address in the nwfilter so that I can use that
>> filter for other networks. Is it possible to reference the host's IP
>> address in the filter?
>>
>> Thanks!
>>
>> Nick
>>
>> Hi Nick,
>
>I used to have similar question before too. Not sure if this could be
>helpful for you, Probably just use arp or arpscan. But to be more
>specific, if the domain name of the client (assuming you want to
>confine HTTP service to only a selected few clients, e.g.,
>192.168.122.1 in your case) is known, you probably could do
>
>$ virsh domiflist DOMAIN
>
>In particular, to get the IP address of a domain, it is something like the
>following:
>
>$ for MAC in `virsh domiflist <DOMAIN> | grep -o -E
>"([0-9a-f]{2}:){5}([0-9a-f]{2})"` ; do
> arp -e | grep $MAC | grep -o -P
>"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" ;
> done
>
>Alternatively, if the NETWORK name is known, IP addr can be obtained
>directly with
>
>$ virsh net-dhcp-leases NETWORK
>
>Another way to the get IP addr, if qemu guest agent is installed on the
>client,
>
>$ virsh domifaddr DOMAIN
>
>So that you can pass IP to the XML, and somehow you can trigger the update
>of NWFILTER with some magic, quite a hack.
Thanks! I was hoping for something less hacky :)
>Or, you could just use client's MAC addr to define the filter:
>https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMAC
>
>But I don't think there is direct way to specify a client's domain name in
>the NWFILTER XML definition as of now.
>
>P.S. I am new to libvirt, so everything above could be wrong.
>
>Dan
More information about the libvirt-users
mailing list