On 2018/03/29 5:30 pm, Andre Goree wrote:
I'm trying to apply a nwfilter rule for two networks on the same
guest
interface, like so:
~ # virsh nwfilter-dumpxml 1081532-private-both
<filter name='1081532-private-both' chain='root'>
<uuid>16004b94-2b62-4568-9467-169908eb4040</uuid>
<rule action='accept' direction='in' priority='500'>
<ip srcipaddr='10.25.104.0' srcipmask='24'/>
</rule>
<rule action='accept' direction='in' priority='600'>
<ip srcipaddr='10.117.50.0' srcipmask='24'/>
</rule>
<rule action='drop' direction='in' priority='1000'/>
</filter>
Within the guest, the IPs are both setup on one interface, with the IP
for second network (10.117.50.0/24) configured as an alias, like so:
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 00:00:0a:d0:4e:f3 brd ff:ff:ff:ff:ff:ff
inet 10.25.104.1/24 brd 10.25.104.255 scope global eth1
valid_lft forever preferred_lft forever
inet 10.117.50.1/24 brd 10.117.50.255 scope global eth1:0
valid_lft forever preferred_lft forever
inet6 fe80::200:aff:fed0:4ef3/64 scope link
valid_lft forever preferred_lft forever
The problem I'm running into is that after applying the nwfilter, I
cannot reach the second network, only the first. Is this an issue
with both IPs being on the same interface? The machine I'm attempting
to reach has the same exact configuration -- i.e. it has an IP on the
same network for both networks.
Thanks in advance for any advice that can be given.
I was able to get this working via the following, in case anyone else
runs into this (it's pretty straight forward, so don't expect many to
run into my same ID10T problem):
<filter name='7925-private-both' priority='-700'>
<uuid>a79560cc-9405-4483-8692-4143b00b48ed</uuid>
<rule action='accept' direction='in' priority='500'>
<ip srcipaddr='10.25.104.0' srcipmask='24'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<ip dstipaddr='10.25.104.0' dstipmask='24'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<ip srcipaddr='10.47.215.0' srcipmask='24'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<ip dstipaddr='10.47.215.0' dstipmask='24'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<ip srcipaddr='10.47.216.0' srcipmask='24'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<ip dstipaddr='10.47.216.0' dstipmask='24'/>
</rule>
<rule action='drop' direction='in' priority='1000'/>
<rule action='drop' direction='out' priority='1000'/>
</filter>
The ranges are different than in my original post, but that's of course
arbitrary.
--
Andre Goree
-=-=-=-=-=-
Email - andre at
drenet.net
Website -
http://blog.drenet.net
PGP key -
http://www.drenet.net/pubkey.html
-=-=-=-=-=-