Network filters





The network traffic filtering rules are applied on the host when a virtual machine is started

Network filters are referenced by virtual machines from within their interface description.

    <interface type='bridge'>
      <mac address='00:16:3e:5d:c7:9e'/>
      <filterref filter='clean-traffic'/>

filter XML can be parameterized with variables.

    <interface type='bridge'>
      <mac address='00:16:3e:5d:c7:9e'/>
      <filterref filter='clean-traffic'>
        <parameter name='IP' value=''/>

# rule

  <rule action='accept' direction='in' priority='500'>
    <tcp srpipaddr='$IP'/>

Since 0.9.10

  <rule action='accept' direction='in' priority='500'>
    <ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/>

  DSTPORTS = [ 80, 8080 ]

virsh nwfilter-list

UUID                                  Name
c397cdbf-2c1f-d2a0-bfda-123a8cfb19d3  allow-arp
20542fdc-eb39-8775-8250-961e9f31d1ad  allow-dhcp
84e70183-7d6c-2285-1199-747a15de40a4  allow-dhcp-server
9a6b5107-1e14-d842-1946-a3ff55a384ff  allow-incoming-ipv4
50b523b0-6e4d-db3f-2df6-5b08e53c38f8  allow-ipv4
807832e3-927f-0204-198d-2bb1d51c8774  clean-traffic
d2b539ca-8b3c-4d64-16d0-a45b5c9e9f33  no-arp-ip-spoofing
b64b2e3e-63af-bdb4-8f43-ccf468412e92  no-arp-mac-spoofing
2edd5f80-acfe-0117-1b62-2a1c9338abaa  no-arp-spoofing
b068ebc1-01e1-7a1c-48cd-76f8bd4de18a  no-ip-multicast
0b7048c4-3316-96b8-2d7e-f6bd5d856138  no-ip-spoofing
7e891c8a-4f27-8aba-a6e6-85401b0f1765  no-mac-broadcast
969146f3-2ef4-09dd-bfd7-d2c1e9008d7f  no-mac-spoofing
24e6ddf6-cd61-68ce-d9d7-5519827f7246  no-other-l2-traffic
b9967f54-075e-94b4-8dfa-cb96e33b1617  no-other-rarp-traffic
b69bfe70-4c1b-0c61-60ab-6f6890ea17f2  qemu-announce-self
b24747e3-7f00-a67f-2ffb-54e97fb5f99f  qemu-announce-self-rarp

nwfilter-dumpxml nwfilter-name

nwfilter-dumpxml allow-dhcp
<filter name='allow-dhcp' chain='ipv4' priority='-700'>
  <rule action='accept' direction='out' priority='100'>
    <ip srcipaddr='' dstipaddr='' protocol='udp' srcportstart='68' dstportstart='67'/>
  <rule action='accept' direction='in' priority='100'>
    <ip protocol='udp' srcportstart='67' dstportstart='68'/>


A chain with a lower priority value is accessed before one with a higher value.


nwfilter-define xmlfile

nwfilter-undefine nwfilter-name

# editor supplied by $EDITOR environment
# virsh nwfilter-dumpxml myfilter > myfilter.xml
# vi myfilter.xml
# virsh nwfilter-define myfilter.xml
nwfilter-edit nwfilter-name


Filtering chains


root -> mac stp -> vlan -> arp(-500),rarp(-400) -> ipv4(-700)


Automatic IP address detection (CTRL_IP_LEARNING)

# to specify the IP address learning method to use(any(default), dhcp, or none)
# any => only detect a single IP address (first packet sent by the VM)

<parameter name='CTRL_IP_LEARNING' value='dhcp'/>


References to other filters

<filter name='clean-traffic'>
    <filterref filter='no-mac-spoofing'/>
    <filterref filter='no-ip-spoofing'/>
    <filterref filter='allow-incoming-ipv4'/>

# Prevent a VM from spoofing ARP traffic; this filter only allows ARP request and reply messages and enforces that those packets contain the MAC and IP addresses of the VM.

# Allow a VM to request an IP address via DHCP (from any DHCP server)

# Allow a VM to request an IP address from a specified DHCP server. The dotted decimal IP address of the DHCP server must be provided in a reference to this filter. The name of the variable must be DHCPSERVER.

# Prevent a VM from sending of IP packets with a source IP address different from the one in the packet.

# Prevent a VM from sending IP multicast packets.

# Prevent MAC, IP and ARP spoofing. This filter references several other filters as building blocks.