![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
說明
The network traffic filtering rules are applied on the host when a virtual machine is started
Network filters are referenced by virtual machines from within their interface description.
...
<devices>
<interface type='bridge'>
<mac address='00:16:3e:5d:c7:9e'/>
<filterref filter='clean-traffic'/>
</interface>
</devices>
...filter XML can be parameterized with variables.
...
<devices>
<interface type='bridge'>
<mac address='00:16:3e:5d:c7:9e'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='10.0.0.1'/>
</filterref>
</interface>
</devices>
...# rule
...
<rule action='accept' direction='in' priority='500'>
<tcp srpipaddr='$IP'/>
</rule>
...Since 0.9.10
...
<rule action='accept' direction='in' priority='500'>
<ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/>
</rule>
... SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
DSTPORTS = [ 80, 8080 ]
virsh nwfilter-list
UUID Name ---------------------------------------------------------------- c397cdbf-2c1f-d2a0-bfda-123a8cfb19d3 allow-arp 20542fdc-eb39-8775-8250-961e9f31d1ad allow-dhcp 84e70183-7d6c-2285-1199-747a15de40a4 allow-dhcp-server 9a6b5107-1e14-d842-1946-a3ff55a384ff allow-incoming-ipv4 50b523b0-6e4d-db3f-2df6-5b08e53c38f8 allow-ipv4 807832e3-927f-0204-198d-2bb1d51c8774 clean-traffic d2b539ca-8b3c-4d64-16d0-a45b5c9e9f33 no-arp-ip-spoofing b64b2e3e-63af-bdb4-8f43-ccf468412e92 no-arp-mac-spoofing 2edd5f80-acfe-0117-1b62-2a1c9338abaa no-arp-spoofing b068ebc1-01e1-7a1c-48cd-76f8bd4de18a no-ip-multicast 0b7048c4-3316-96b8-2d7e-f6bd5d856138 no-ip-spoofing 7e891c8a-4f27-8aba-a6e6-85401b0f1765 no-mac-broadcast 969146f3-2ef4-09dd-bfd7-d2c1e9008d7f no-mac-spoofing 24e6ddf6-cd61-68ce-d9d7-5519827f7246 no-other-l2-traffic b9967f54-075e-94b4-8dfa-cb96e33b1617 no-other-rarp-traffic b69bfe70-4c1b-0c61-60ab-6f6890ea17f2 qemu-announce-self b24747e3-7f00-a67f-2ffb-54e97fb5f99f qemu-announce-self-rarp
nwfilter-dumpxml nwfilter-name
nwfilter-dumpxml allow-dhcp
<filter name='allow-dhcp' chain='ipv4' priority='-700'>
<uuid>20542fdc-eb39-8775-8250-961e9f31d1ad</uuid>
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
</rule>
<rule action='accept' direction='in' priority='100'>
<ip protocol='udp' srcportstart='67' dstportstart='68'/>
</rule>
</filter>P.S.
A chain with a lower priority value is accessed before one with a higher value.
nwfilter-define xmlfile
nwfilter-undefine nwfilter-name
# editor supplied by $EDITOR environment
# virsh nwfilter-dumpxml myfilter > myfilter.xml
# vi myfilter.xml
# virsh nwfilter-define myfilter.xml
nwfilter-edit nwfilter-name
Filtering chains
root -> mac stp -> vlan -> arp(-500),rarp(-400) -> ipv4(-700)
Automatic IP address detection (CTRL_IP_LEARNING)
# to specify the IP address learning method to use(any(default), dhcp, or none)
# any => only detect a single IP address (first packet sent by the VM)
<parameter name='CTRL_IP_LEARNING' value='dhcp'/>
References to other filters
<filter name='clean-traffic'>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
<filterref filter='allow-incoming-ipv4'/>
</filter>no-arp-spoofing
# Prevent a VM from spoofing ARP traffic
# This filter only allows ARP request and reply messages and
# enforces that those packets contain the MAC and IP addresses of the VM.
allow-dhcp
# Allow a VM to request an IP address via DHCP (from any DHCP server)
allow-dhcp-server
# Allow a VM to request an IP address from a specified DHCP server.
# The dotted decimal IP address of the DHCP server must be provided in a reference to this filter.
# The name of the variable must be DHCPSERVER.
no-ip-spoofing
# Prevent a VM from sending of IP packets with a source IP address different from the one in the packet.
no-ip-multicast
# Prevent a VM from sending IP multicast packets.
clean-traffic
# Prevent MAC, IP and ARP spoofing. This filter references several other filters as building blocks.
