Home / server / Questions / 515897
In Process
HoverHell
Asked: 2013-06-15 07:57:41 +0800 CST

Network filtering with libvirt + xen + bridge + nat?

  • 772

How can I properly add basic network filters (clean-traffic or, at least, ip-spoofing prevention) to XEN (xend) guests managed by libvirt?

Or, in particular, can I manually execute libvirt's nwfilters from a script (for given parameters)?

I am using libvirt's network to create the bridge (default, bridge virbr0), but, apparently, the xen's vif-bridge script is used to initialize the virtualized system's networking, and libvirt drops nwfilter definitions in domain's xml (probably because it is converted to xen's native config).

xen

1 Answers

  1. I've also looked into that subject. Here is what Xen 4.x can offer, although it is not well documented and illustrated with sample scripts.

    xend-config.sxp - Xen daemon configuration file

    vif-script The name of the script in /etc/xen/scripts that will be run to setup a virtual interface when it is created or destroyed. This needs to (in general) work in unison with the network-script.

    You may override global vif-script by using script keyword inside a vif option value of any guest configuration.

    XL Network Configuration

    script Specifies the hotplug script to run to configure this device (e.g. to add it to the relevant bridge). Defaults to XEN_SCRIPT_DIR/vif-bridge but can be set to any script. Some example scripts are installed in XEN_SCRIPT_DIR.

    For most Linux systems substitute XEN_SCRIPT_DIR with /etc/xen/scripts.

    There is also at least one more specific solution in the following Xen-users mailing list discussion: preventing Hwaddr spoofing on bridge

    • 0