[libvirt-users] Passing multiple addresses with masks to nwfilter
Brooks Swinnerton
bswinnerton at gmail.com
Wed Jan 1 17:39:25 UTC 2020
Hello,
I have a nwfilter that I'm using to ensure that libvirt domains can't spoof
IPv6 traffic. It looks like this:
<filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'>
<rule action='return' direction='out' priority='500'>
<ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
</filter>
The goal is to allow any traffic coming from the entire prefix (e.g.
2001:db8::/32). This theoretically would work fine when passing in the
variables from the domain definition like so:
<filterref filter='no-ipv6-spoofing'>
<parameter name='IPV6' value='2001:db8:1:6:dc:d2ff:fef2:2181'/>
<parameter name='IPV6_MASK' value='32'/>
</filterref>
But the problem comes when wanting to allow multiple prefixes (and thus
multiple $IPV6 and $IPV6_MASK variables). If there is more than one
definition of $IPV6, how could I associate it with a corresponding
$IPV6_MASK?
Ideally I would be able to pass an address in CIDR notation directly to
srcipaddr, but I don't believe that's an option.
Any guidance would be appreciated. The ultimate goal is to automate this
process, so having something like $IPV6_1 and $IPV6_1 would be less than
ideal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20200101/8bdb0c85/attachment.htm>
More information about the libvirt-users
mailing list