the filter <code>clean-traffic</code>.
</p>
<pre>
- ...
- <devices>
- <interface type='bridge'>
- <mac address='00:16:3e:5d:c7:9e'/>
- <filterref filter='clean-traffic'/>
- </interface>
- </devices>
- ...</pre>
+...
+<devices>
+ <interface type='bridge'>
+ <mac address='00:16:3e:5d:c7:9e'/>
+ <filterref filter='clean-traffic'/>
+ </interface>
+</devices>
+...</pre>
<p>
Network filters are written in XML and may either contain references
the parameter <code>IP</code> and a dotted IP address as value.
</p>
<pre>
- ...
- <devices>
- <interface type='bridge'>
- <mac address='00:16:3e:5d:c7:9e'/>
- <filterref filter='clean-traffic'>
- <parameter name='IP' value='10.0.0.1'/>
- </filterref>
- </interface>
- </devices>
- ...</pre>
+...
+<devices>
+ <interface type='bridge'>
+ <mac address='00:16:3e:5d:c7:9e'/>
+ <filterref filter='clean-traffic'>
+ <parameter name='IP' value='10.0.0.1'/>
+ </filterref>
+ </interface>
+</devices>
+...</pre>
<p>
In this particular example, the <code>clean-traffic</code> network
providing multiple elements for the IP variable is:
</p>
<pre>
- ...
- <devices>
- <interface type='bridge'>
- <mac address='00:16:3e:5d:c7:9e'/>
- <filterref filter='clean-traffic'>
- <parameter name='IP' value='10.0.0.1'/>
- <parameter name='IP' value='10.0.0.2'/>
- <parameter name='IP' value='10.0.0.3'/>
- </filterref>
- </interface>
- </devices>
- ...</pre>
+...
+<devices>
+ <interface type='bridge'>
+ <mac address='00:16:3e:5d:c7:9e'/>
+ <filterref filter='clean-traffic'>
+ <parameter name='IP' value='10.0.0.1'/>
+ <parameter name='IP' value='10.0.0.2'/>
+ <parameter name='IP' value='10.0.0.3'/>
+ </filterref>
+ </interface>
+</devices>
+...</pre>
<p>
This then allows filters to enable multiple IP addresses
per interface. Therefore, with the list
individual filtering rules, one for each IP address.
</p>
<pre>
- ...
- <rule action='accept' direction='in' priority='500'>
- <tcp srpipaddr='$IP'/>
- </rule>
- ...
+...
+<rule action='accept' direction='in' priority='500'>
+ <tcp srpipaddr='$IP'/>
+</rule>
+...
</pre>
<p>
<span class="since">Since 0.9.10</span> it is possible to access
of the variable DSTPORTS.
</p>
<pre>
- ...
- <rule action='accept' direction='in' priority='500'>
- <udp dstportstart='$DSTPORTS[1]'/>
- </rule>
- ...
+...
+<rule action='accept' direction='in' priority='500'>
+ <udp dstportstart='$DSTPORTS[1]'/>
+</rule>
+...
</pre>
<p>
<span class="since">Since 0.9.10</span> it is possible to create
iterators to access their elements.
</p>
<pre>
- ...
- <rule action='accept' direction='in' priority='500'>
- <ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/>
- </rule>
- ...
+...
+<rule action='accept' direction='in' priority='500'>
+ <ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/>
+</rule>
+...
</pre>
<p>
In an example we assign concrete values to SRCIPADDRESSES and DSTPORTS
</p>
<pre>
- SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
- DSTPORTS = [ 80, 8080 ]
+SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
+DSTPORTS = [ 80, 8080 ]
</pre>
<p>
Accessing the variables using $SRCIPADDRESSES[@1] and $DSTPORTS[@2] would
then result in all combinations of addresses and ports being created:
</p>
<pre>
- 10.0.0.1, 80
- 10.0.0.1, 8080
- 11.1.2.3, 80
- 11.1.2.3, 8080
+10.0.0.1, 80
+10.0.0.1, 8080
+11.1.2.3, 80
+11.1.2.3, 8080
</pre>
<p>
Accessing the same variables using a single iterator, for example by using
parallel access to both lists and result in the following combinations:
</p>
<pre>
- 10.0.0.1, 80
- 11.1.2.3, 8080
+10.0.0.1, 80
+11.1.2.3, 8080
</pre>
<p>
Further, the notation of $VARIABLE is short-hand for $VARIABLE[@0]. The
using the DHCP snooping method:
</p>
<pre>
- <interface type='bridge'>
- <source bridge='virbr0'/>
- <filterref filter='clean-traffic'>
- <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
- </filterref>
- </interface>
+<interface type='bridge'>
+ <source bridge='virbr0'/>
+ <filterref filter='clean-traffic'>
+ <parameter name='CTRL_IP_LEARNING' value='dhcp'/>
+ </filterref>
+</interface>
</pre>
<h3><a name="nwfelemsReservedVars">Reserved Variables</a></h3>
</p>
<pre>
[...]
- <rule action='drop' direction='in'>
- <protocol match='no' attribute1='value1' attribute2='value2'/>
- <protocol attribute3='value3'/>
- </rule>
+<rule action='drop' direction='in'>
+ <protocol match='no' attribute1='value1' attribute2='value2'/>
+ <protocol attribute3='value3'/>
+</rule>
[...]
</pre>
<p>
turned off for incoming connections to TCP port 12345.
</p>
<pre>
- [...]
- <rule direction='in' action='accept' statematch='false'>
- <tcp dstportstart='12345'/>
- </rule>
- [...]
+[...]
+<rule direction='in' action='accept' statematch='false'>
+ <tcp dstportstart='12345'/>
+</rule>
+[...]
</pre>
<p>
This now allows incoming traffic to TCP port 12345, but would also
time, the following XML fragment can be used to achieve this.
</p>
<pre>
- [...]
- <rule action='drop' direction='in' priority='400'>
- <tcp connlimit-above='1'/>
- </rule>
- <rule action='accept' direction='in' priority='500'>
- <tcp dstportstart='22'/>
- </rule>
- <rule action='drop' direction='out' priority='400'>
- <icmp connlimit-above='1'/>
- </rule>
- <rule action='accept' direction='out' priority='500'>
- <icmp/>
- </rule>
- <rule action='accept' direction='out' priority='500'>
- <udp dstportstart='53'/>
- </rule>
- <rule action='drop' direction='inout' priority='1000'>
- <all/>
- </rule>
- [...]
+[...]
+<rule action='drop' direction='in' priority='400'>
+ <tcp connlimit-above='1'/>
+</rule>
+<rule action='accept' direction='in' priority='500'>
+ <tcp dstportstart='22'/>
+</rule>
+<rule action='drop' direction='out' priority='400'>
+ <icmp connlimit-above='1'/>
+</rule>
+<rule action='accept' direction='out' priority='500'>
+ <icmp/>
+</rule>
+<rule action='accept' direction='out' priority='500'>
+ <udp dstportstart='53'/>
+</rule>
+<rule action='drop' direction='inout' priority='1000'>
+ <all/>
+</rule>
+[...]
</pre>
<p>
Note that the rule for the limit has to logically appear
</p>
<pre>
- echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
+echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
</pre>
<p>
sets the ICMP connection tracking timeout to 3 seconds. The
the domain XML of the <code>test</code> VM could then look like this:
</p>
<pre>
- [...]
- <interface type='bridge'>
- <source bridge='mybridge'/>
- <filterref filter='test-eth0'/>
- </interface>
- [...]
+[...]
+<interface type='bridge'>
+ <source bridge='mybridge'/>
+ <filterref filter='test-eth0'/>
+</interface>
+[...]
</pre>
<p>
<code>ICMP</code> rule can be replaced with the following two rules:
</p>
<pre>
- <!-- enable outgoing ICMP echo requests-->
- <rule action='accept' direction='out'>
- <icmp type='8'/>
- </rule>
-
- <!-- enable incoming ICMP echo replies-->
- <rule action='accept' direction='in'>
- <icmp type='0'/>
- </rule>
+<!-- enable outgoing ICMP echo requests-->
+<rule action='accept' direction='out'>
+ <icmp type='8'/>
+</rule>
+
+<!-- enable incoming ICMP echo replies-->
+<rule action='accept' direction='in'>
+ <icmp type='0'/>
+</rule>
</pre>
<h3><a name="nwfwriteexample2nd">Second example custom filter</a></h3>
the ftp connection with the VM is established.
</p>
<pre>
- modprobe nf_conntrack_ftp # where available or
+modprobe nf_conntrack_ftp # where available or
- modprobe ip_conntrack_ftp # if above is not available
+modprobe ip_conntrack_ftp # if above is not available
</pre>
<p>
If other protocols than ftp are to be used in conjunction with the
projects / libvirt.git / commitdiff