[libvirt-users] Problems getting nwfilter to work
Marc
bloody80 at gmx.de
Thu Nov 8 08:13:58 UTC 2018
Hi folks,
I'm using libvirt 3.9.0 running under CentOS 7.5. I want the guests,
which are all within the same subnet (e.g. 10.0.0.x.), only talk to
their default gateway (e.g. 10.0.0.1) but to each other. This is caused
by a design issue of our network platform. I set up a filter rule and
attached it to the interface of a guest using nwfilter-define:
<filter name='private_ip' chain='ipv4'>
<uuid>foobar</uuid>
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='$IP' dstipaddr='10.0.0.1'/>
</rule>
<rule action='accept' direction='in' priority='110'>
<ip srcipaddr='10.0.0.1' dstipaddr='$IP'/>
</rule>
<rule action='drop' direction='inout' priority='500'>
<all/>
</rule>
</filter>
t simply doesn't work. The guest can talk to the other guests within the
same subnet. All guests are connected to a bridge interface. The IP of
the guest interface is defined in the guests' xml file. Is there any
additional kernel module to load? The module br_netfilter is already
loaded and /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1.
After hours of googling and testing I still couldn't find a solution.
Please help!
Thank you very much in advance
Marc
More information about the libvirt-users
mailing list