Re: [libvirt-users] nwfilter and address of network ip address

On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
Hi,
I am running a webserver on the libvirt host and would like to add a nwfilter such that a VM can access that server. The corresponding iptables rule would look like this:
iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 --protocol tcp --dport 80 --jump ACCEPT
where the network is using virbr0 and sits at 192.168.122.1. I don't want to hardcode the host IP address in the nwfilter so that I can use that filter for other networks. Is it possible to reference the host's IP address in the filter?
Thanks!
Nick
Hi Nick,
I used to have similar question before too. Not sure if this could be helpful for you, Probably just use arp or arpscan. But to be more specific, if the domain name of the client (assuming you want to confine HTTP service to only a selected few clients, e.g., 192.168.122.1 in your case) is known, you probably could do $ virsh domiflist DOMAIN In particular, to get the IP address of a domain, it is something like the following: $ for MAC in `virsh domiflist <DOMAIN> | grep -o -E "([0-9a-f]{2}:){5}([0-9a-f]{2})"` ; do arp -e | grep $MAC | grep -o -P "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" ; done Alternatively, if the NETWORK name is known, IP addr can be obtained directly with $ virsh net-dhcp-leases NETWORK Another way to the get IP addr, if qemu guest agent is installed on the client, $ virsh domifaddr DOMAIN So that you can pass IP to the XML, and somehow you can trigger the update of NWFILTER with some magic, quite a hack. Or, you could just use client's MAC addr to define the filter: https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMAC But I don't think there is direct way to specify a client's domain name in the NWFILTER XML definition as of now. P.S. I am new to libvirt, so everything above could be wrong. Dan _______________________________________________
libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users

Hi Dan, On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
Hi,
I am running a webserver on the libvirt host and would like to add a nwfilter such that a VM can access that server. The corresponding iptables rule would look like this:
iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 --protocol tcp --dport 80 --jump ACCEPT
where the network is using virbr0 and sits at 192.168.122.1. I don't want to hardcode the host IP address in the nwfilter so that I can use that filter for other networks. Is it possible to reference the host's IP address in the filter?
Thanks!
Nick
Hi Nick,
I used to have similar question before too. Not sure if this could be helpful for you, Probably just use arp or arpscan. But to be more specific, if the domain name of the client (assuming you want to confine HTTP service to only a selected few clients, e.g., 192.168.122.1 in your case) is known, you probably could do
$ virsh domiflist DOMAIN
In particular, to get the IP address of a domain, it is something like the following:
$ for MAC in `virsh domiflist <DOMAIN> | grep -o -E "([0-9a-f]{2}:){5}([0-9a-f]{2})"` ; do arp -e | grep $MAC | grep -o -P "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" ; done
Alternatively, if the NETWORK name is known, IP addr can be obtained directly with
$ virsh net-dhcp-leases NETWORK
Another way to the get IP addr, if qemu guest agent is installed on the client,
$ virsh domifaddr DOMAIN
So that you can pass IP to the XML, and somehow you can trigger the update of NWFILTER with some magic, quite a hack.
Thanks! I was hoping for something less hacky :)
Or, you could just use client's MAC addr to define the filter: https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMAC
But I don't think there is direct way to specify a client's domain name in the NWFILTER XML definition as of now.
P.S. I am new to libvirt, so everything above could be wrong.
Dan

On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
Hi,
I am running a webserver on the libvirt host and would like to add a nwfilter such that a VM can access that server. The corresponding iptables rule would look like this:
iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 --protocol tcp --dport 80 --jump ACCEPT
where the network is using virbr0 and sits at 192.168.122.1. I don't want to hardcode the host IP address in the nwfilter so that I can use that filter for other networks. Is it possible to reference the host's IP address in the filter?
There is a pre-defined parameter for the VM's own IP address: http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection but we don't have anything for the host's IP address. We could fairly easily add it though I reckon - eg provide a HOST_IP parameter. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
Hi,
I am running a webserver on the libvirt host and would like to add a nwfilter such that a VM can access that server. The corresponding iptables rule would look like this:
iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 --protocol tcp --dport 80 --jump ACCEPT
where the network is using virbr0 and sits at 192.168.122.1. I don't want to hardcode the host IP address in the nwfilter so that I can use that filter for other networks. Is it possible to reference the host's IP address in the filter?
There is a pre-defined parameter for the VM's own IP address:
http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection
but we don't have anything for the host's IP address. We could fairly easily add it though I reckon - eg provide a HOST_IP parameter.
Thanks Daniel.
Regards, Daniel

On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock wrote:
On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
Hi,
I am running a webserver on the libvirt host and would like to add a nwfilter such that a VM can access that server. The corresponding iptables rule would look like this:
iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 --protocol tcp --dport 80 --jump ACCEPT
where the network is using virbr0 and sits at 192.168.122.1. I don't want to hardcode the host IP address in the nwfilter so that I can use that filter for other networks. Is it possible to reference the host's IP address in the filter?
There is a pre-defined parameter for the VM's own IP address:
http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection
but we don't have anything for the host's IP address. We could fairly easily add it though I reckon - eg provide a HOST_IP parameter.
Thanks Daniel.
BTW, please don't misinterpret this to mean i'm going to actually implement this myself. I mostly meant a) file a RFE bug report against libvirt's upstream bug tracker b) if you feel motivated to look at it, you could try writing a patch for libvirt and submit it :-) Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On Mon, May 08, 2017 at 04:57:58PM +0100, Daniel P. Berrange wrote:
On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock wrote:
On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
Hi,
I am running a webserver on the libvirt host and would like to add a nwfilter such that a VM can access that server. The corresponding iptables rule would look like this:
iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 --protocol tcp --dport 80 --jump ACCEPT
where the network is using virbr0 and sits at 192.168.122.1. I don't want to hardcode the host IP address in the nwfilter so that I can use that filter for other networks. Is it possible to reference the host's IP address in the filter?
There is a pre-defined parameter for the VM's own IP address:
http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection
but we don't have anything for the host's IP address. We could fairly easily add it though I reckon - eg provide a HOST_IP parameter.
Thanks Daniel.
BTW, please don't misinterpret this to mean i'm going to actually implement this myself. I mostly meant a) file a RFE bug report against libvirt's upstream bug tracker b) if you feel motivated to look at it, you could try writing a patch for libvirt and submit it :-)
No, I hadn't interpreted your statement like you were going to implement it :) I'll file a bug. And I'll have a look at the code. Thanks, Nick
Regards, Daniel

On Mon, May 08, 2017 at 04:57:58PM +0100, Daniel P. Berrange wrote:
On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock wrote:
On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
Hi,
I am running a webserver on the libvirt host and would like to add a nwfilter such that a VM can access that server. The corresponding iptables rule would look like this:
iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1 --protocol tcp --dport 80 --jump ACCEPT
where the network is using virbr0 and sits at 192.168.122.1. I don't want to hardcode the host IP address in the nwfilter so that I can use that filter for other networks. Is it possible to reference the host's IP address in the filter?
There is a pre-defined parameter for the VM's own IP address:
http://libvirt.org/formatnwfilter.html#nwfelemsRulesAdvIPAddrDetection
but we don't have anything for the host's IP address. We could fairly easily add it though I reckon - eg provide a HOST_IP parameter.
Thanks Daniel.
BTW, please don't misinterpret this to mean i'm going to actually implement this myself. I mostly meant a) file a RFE bug report against libvirt's upstream bug tracker b) if you feel motivated to look at it, you could try writing a patch for libvirt and submit it :-)
https://bugzilla.redhat.com/show_bug.cgi?id=1448926
Regards, Daniel
participants (3)
-
Dan
-
Daniel P. Berrange
-
Nicolas Bock