[libvirt-users] Passing multiple addresses with masks to nwfilter
Brooks Swinnerton
bswinnerton at gmail.com
Wed Jan 1 23:48:44 UTC 2020
I was able to resolve this by duplicating the <parameter> entries:
<filterref filter='no-ipv6-spoofing'>
<parameter name='IPV6' value='2001:db8:1:6:dc:d2ff:fef2:2181'/>
<parameter name='IPV6' value='fe80::dc:d2ff:fef2:2181'/>
<parameter name='IPV6_MASK' value='32'/>
<parameter name='IPV6_MASK' value='128'/>
</filterref>
On Wed, Jan 1, 2020 at 3:46 PM Brooks Swinnerton <bswinnerton at gmail.com>
wrote:
> Looking at
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering#sect-Applying_network_filtering-Usage_of_variables_in_filters,
> it sounds like the preferred approach is to use something like:
>
> <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'>
> <rule action='return' direction='out' priority='500'>
> <ipv6 srcipaddr='$IPV6[@1]' srcipmask='$IPV6_MASK[@1]'/>
> </rule>
> <rule action='drop' direction='out' priority='1000'/>
> </filter>
>
> The documentation reads:
>
> Assign concrete values to SRCIPADDRESSES and DSTPORTS as shown:
>
> SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
> DSTPORTS = [ 80, 8080 ]
>
>
> But I'm not sure how to pass through an array of <parameter>s in the
> filterref. Is this possible?
>
>
>
> On Wed, Jan 1, 2020 at 12:39 PM Brooks Swinnerton <bswinnerton at gmail.com>
> wrote:
>
>> Hello,
>>
>> I have a nwfilter that I'm using to ensure that libvirt domains can't
>> spoof IPv6 traffic. It looks like this:
>>
>> <filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'>
>> <rule action='return' direction='out' priority='500'>
>> <ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/>
>> </rule>
>> <rule action='drop' direction='out' priority='1000'/>
>> </filter>
>>
>> The goal is to allow any traffic coming from the entire prefix (e.g.
>> 2001:db8::/32). This theoretically would work fine when passing in the
>> variables from the domain definition like so:
>>
>> <filterref filter='no-ipv6-spoofing'>
>> <parameter name='IPV6' value='2001:db8:1:6:dc:d2ff:fef2:2181'/>
>> <parameter name='IPV6_MASK' value='32'/>
>> </filterref>
>>
>> But the problem comes when wanting to allow multiple prefixes (and thus
>> multiple $IPV6 and $IPV6_MASK variables). If there is more than one
>> definition of $IPV6, how could I associate it with a corresponding
>> $IPV6_MASK?
>>
>> Ideally I would be able to pass an address in CIDR notation directly to
>> srcipaddr, but I don't believe that's an option.
>>
>> Any guidance would be appreciated. The ultimate goal is to automate this
>> process, so having something like $IPV6_1 and $IPV6_1 would be less than
>> ideal.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20200101/f651dece/attachment.htm>
More information about the libvirt-users
mailing list