libvirt-Network Filter

2023-03-10 13:20:13 浏览数 (3)

libvirt-Network Filter

简介

对libvirt-nwfilter 的介主要讲,两个东西,一个是ebtables 。另一个就是它本身nwfilter。nwfilter主要基于ebtables进行开发或者说配置。其中的一些规则设置好之后,可以利用ebtables查看规则是否设置成功。

​ libvirt-nwfilter ,主要由libvirt提供的虚拟机网络管理,进行虚拟机群组的网络防火墙设置。

​ 其目的在于可让系统管理员在host上通过一套抽象的标准化的配置方式实现对vm的网络数据包的过滤,可以准确的控制到每个vm的每块网卡上。同一个filter规则可以被不同的vm重复使用,当然也可以为每一个vm创建不同的filter规则。当nwfilter规则配置好之后,启动vm的时候libvirt会自动将配置规则转换为对应的iptables或者ebtables规则,加载到vm对应的网卡tap设备上。

  • nwfilter
代码语言:javascript复制
Network filtering XML为虚拟化系统管理员提供对了一种网络流量的过滤规则,系统管理员可以通过配置过滤参数,实 施和管理对虚拟机网络流量的接受和转发。由于过滤规则不能绕过直接进入虚拟机内,它使得一个filter对虚拟用户的访问控制具有强制性。 Network filtering子系统允许每一个虚拟机的网络过滤表可以被单独配置。我们可以在启动时配置虚拟机的访问控制过滤表,也可以在虚拟器运行时对虚拟机的规则进行修改。后者可以通过修改network filter XML的方式进行。 Libvirt允许多台虚拟机共用一个。当filter被修改时,所有运行的虚拟机都会自动更新filter的过滤规则。Network filtering XML部署在KVM Server上可以实现:虚拟网络隔离、入侵防护、批量管理等功能。Openstack的网络控制就是基于Network filter。
  • ebtables

官方介绍

代码语言:javascript复制
The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. Advanced logging, MAC DNAT/SNAT and brouter facilities are also included.

The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.

The ebtables and arptables codebase is maintained by the netfilter developers, who were so kind to take over maintenance of the software. This website is kept mainly as a documentation reference.

主要用于linux桥的网络过滤,过滤规则基于链路层进行数据过滤。

命令介绍

命令查看主要还是基于virsh控制台。主要命令有5个,命令如下

代码语言:javascript复制
virsh # nwfilter-
nwfilter-define    nwfilter-dumpxml   nwfilter-edit      nwfilter-list      nwfilter-undefine
  • nwfilter-define
代码语言:javascript复制
NAME
    nwfilter-define - define or update a network filter from an XML file
SYNOPSIS
	nwfilter-define <file>
DESCRIPTION
	Define a new network filter or update an existing one.
OPTIONS
	[--file] <string>  file containing an XML network filter description

用法:

代码语言:javascript复制
nwfilter-define path.xml

功能:类似于define。用来定义或者说导入/格式化xml文件,使之被虚拟机应用。

  • nwfilter-dumpxml
代码语言:javascript复制
NAME
	nwfilter-dumpxml - network filter information in XML
SYNOPSIS
	nwfilter-dumpxml <nwfilter>
DESCRIPTION
	Output the network filter information as an XML dump to stdout.
OPTIONS
	[--nwfilter] <string>  network filter name or uuid

用法:

代码语言:javascript复制
nwfilter-dumpxml option-name/uuid

功能:类似于cat命令,用来显示对应XML文件

代码语言:javascript复制
 UUID                                  Name                 
------------------------------------------------------------------
 3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886  allow-arp  
 
 virsh # nwfilter-dumpxml allow-arp
<filter name='allow-arp' chain='arp' priority='-500'>
  <uuid>3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886</uuid>
  <rule action='accept' direction='inout' priority='500'/>
</filter>

virsh # nwfilter-dumpxml 3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886
<filter name='allow-arp' chain='arp' priority='-500'>
  <uuid>3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886</uuid>
  <rule action='accept' direction='inout' priority='500'/>
</filter>
  • nwfilter-edit
代码语言:javascript复制
NAME
	nwfilter-edit - edit XML configuration for a network filter
SYNOPSIS
	nwfilter-edit <nwfilter>
DESCRIPTION
	Edit the XML configuration for a network filter.
OPTIONS
	[--nwfilter] <string>  network filter name or uuid

功能:主要用于编辑xml文件,和edit功能类似,编辑完成之后,可以立即生效。

  • nwfilter-list
代码语言:javascript复制
  NAME
    nwfilter-list - list network filters

  SYNOPSIS
    nwfilter-list

  DESCRIPTION
    Returns list of network filters.

功能:显示当前可使用的过滤器配置列表

代码语言:javascript复制
virsh # nwfilter-list
 UUID                                  Name                 
------------------------------------------------------------------
 3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886  allow-arp           
 675ab5ba-686e-4ce3-a1b7-a2210d81e7eb  allow-dhcp          
 8b0620fa-f1d6-4002-a1c1-a65fee662187  allow-dhcp-server   
 587e3cf8-ef8c-434b-8983-cc8e169f145f  allow-incoming-ipv4 
 b170b35e-a602-42df-847f-1e4ca10ad7aa  allow-ipv4          
 5c0fe721-8071-465e-979b-f935beb938f4  clean-traffic       
 fbc91fd1-19b4-4833-8fbe-1d7f795003f3  no-arp-ip-spoofing  
 f91440d6-3b3a-4fec-8898-2b978f01e97e  no-arp-mac-spoofing 
 87d78eeb-8289-40ab-9616-2f6180813bc6  no-arp-spoofing     
 e0a25fc7-ff32-4156-8a1c-bf90d100b173  no-ip-multicast     
 b1d1be20-cc33-44fe-ac1d-03796d529890  no-ip-spoofing      
 0b0d75e0-e12c-43b1-8062-c1bd58303600  no-mac-broadcast    
 03fccb6d-1576-4e47-93a2-382d378cd8b2  no-mac-spoofing     
 6dab6821-8caf-4794-9be8-d7ccb26639e6  no-other-l2-traffic 
 94985992-e597-4449-8c99-3d261c3d5c34  no-other-rarp-traffic
 5d61fcbf-96a4-4c30-9c06-c853e14fa40a  qemu-announce-self  
 780863fb-3afd-43b2-a624-8372b2d2a8cc  qemu-announce-self-rarp
  • nwfilter-undefine
代码语言:javascript复制
  NAME
    nwfilter-undefine - undefine a network filter
  SYNOPSIS
    nwfilter-undefine <nwfilter>
  DESCRIPTION
    Undefine a given network filter.
  OPTIONS
    [--nwfilter] <string>  network filter name or uuid

功能:与nwfilter-undefine 相反。删除定义,并且删除对应的xml文件

xml配置项介绍

官网xml相关介绍:https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoIP

1.虚拟机xml配置介绍
代码语言:javascript复制
The network traffic filtering subsystem enables configuration of network traffic filtering rules on individual network interfaces that are configured for certain types of network configurations. Supported network types are
	network
	ethernet -- must be used in bridging mode
	bridge
The interface XML is used to reference a top-level filter. In the following example, the interface description references the filter clean-traffic.

在虚拟机xml配置文件下,设备里边添加网络设备。注意一定使用 bridge 模式。

现在是未指定参数的配置,会自动所有配置IP,增加一定的开销。

代码语言:javascript复制
<devices>
  <interface type='bridge'>
    <mac address='00:16:3e:5d:c7:9e'/>
    <source bridge='br0'>
    <filterref filter='clean-traffic'/>
  </interface>
</devices>

增加参数的配置

代码语言:javascript复制
<devices>
  <interface type='bridge'>
    <mac address='00:16:3e:5d:c7:9e'/>
    <source bridge='br0'>
    <filterref filter='clean-traffic'>
      <parameter name='IP' value='10.0.0.1'/>
    </filterref>
  </interface>
</devices>

指定不开启自动识别。

代码语言:javascript复制
<filterref filter='clean-traffic'>
        <parameter name='CTRL_IP_LEARNING' value='none'/>
</filterref>

value可接受的参数值还有: any , dhcpnone

其他属性如下表所示:本人没有进行相应的验证

Variable Name

Semantics

MAC

The MAC address of the interface

IP

The list of IP addresses in use by an interface

IPV6

Not currently implemented: the list of IPV6 addresses in use by an interface

DHCPSERVER

The list of IP addresses of trusted DHCP servers

DHCPSERVERV6

Not currently implemented: The list of IPv6 addresses of trusted DHCP servers

CTRL_IP_LEARNING

The choice of the IP address detection mode

2.network filter xml配置介绍

2.1 Filtering chains
代码语言:javascript复制
Libvirt's network filtering system automatically creates individual root chains for every virtual machine's network interface on which the user chooses to activate traffic filtering. The user may write filtering rules that are either directly instantiated in the root chain or may create protocol-specific filtering chains for efficient evaluation of protocol-specific rules

现在默认支持的规则链如下:

代码语言:javascript复制
root mac stp vlan arp,rarp ipv4 ipv6

2.2 Filtering chain priorities

代码语言:javascript复制
All chains are connected to the root chain. The order in which those chains are accessed is influenced by the priority of the chain. The following table shows the chains that can be assigned a priority and their default priorities.

规则优先级,主要用于防火墙校验的时候的规则顺序。

默认规则优先级如下:

Chain (prefix)

Default priority

stp

-810

mac

-800

vlan

-750

ipv4

-700

ipv6

-600

arp

-500

rarp

-400

网络过滤器xml的头尾就有了,如下样例所示:注意,UUID与name绑定,且全局唯一。

代码语言:javascript复制
<filter name='no-arp-spoofing' chain='arp' priority='-500'>
    <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
</filter>

2.3 过滤器规则

demo:

代码语言:javascript复制
  <rule action='drop' direction='out' priority='500'>
    <ip match='no' srcipaddr='$IP'/>
  </rule>
2.3.1 规则头

官网对对应字段的解释如下。

代码语言:javascript复制
<rule action='drop' direction='out' priority='500'>
  • action
代码语言:javascript复制
action -- mandatory; must either be drop (matching the rule silently discards the packet with no further analysis), reject (matching the rule generates an ICMP reject message with no further analysis) (since 0.9.0), accept (matching the rule accepts the packet with no further analysis), return (matching the rule passes this filter, but returns control to the calling filter for further analysis) (since 0.9.7), or continue (matching the rule goes on to the next rule for further analysis) (since 0.9.7).

action 对应的值如下: drop,拒绝访问;reject,拒绝访问,并返回对应的包;accept,接收网络流量信息;return;continue;

  • direction
代码语言:javascript复制
direction -- mandatory; must either be in, out or inout if the rule is for incoming, outgoing or incoming-and-outgoing traffic
  • priority
代码语言:javascript复制
priority -- optional; the priority of the rule controls the order in which the rule will be instantiated relative to other rules. Rules with lower value will be instantiated before rules with higher values. Valid values are in the range of 0 to 1000. Since 0.9.8 this has been extended to cover the range of -1000 to 1000. If this attribute is not provided, priority 500 will automatically be assigned. 
Note that filtering rules in the root chain are sorted with filters connected to the root chain following their priorities. This allows to interleave filtering rules with access to filter chains. (See also section on filtering chain priorities .)
  • statematch
代码语言:javascript复制
statematch -- optional; possible values are '0' or 'false' to turn the underlying connection state matching off; default is 'true' 
Also read the section on advanced configuration topics.

statematch – 状态匹配,默认为true ,并不需要进行相应的设置。

2.3.2 规则内容
  • 支持规则

MAC/VLAN/STP/(ARP/RARP)/IPV4/IPV6/(TCP/UDP/SCTP)/ICMP/(IGMP.ESP.AH.UDPLITE.‘ALL’)/TPV6/ICMPV6/ESP.AH.UDPLITE.'ALL’over IPV6

  • 规则字段
代码语言:javascript复制
<rule action='drop' direction='in'>
  <protocol match='no' attribute1='value1' attribute2='value2'/>
  <protocol attribute3='value3'/>
</rule>

match 是否匹配。用于规则的例外排除,排除额外选项

执行条件:

代码语言:javascript复制
Rules perform a logical AND evaluation on all values of the given protocol attributes. Thus, if a single attribute's value does not match the one given in the rule, the whole rule will be skipped during evaluation. Therefore, in the above example incoming traffic will only be dropped if the protocol property attribute1 does not match value1 AND the protocol property attribute2 does not match value2 AND the protocol property attribute3 matches value3. 

value1和value2是与的条件,两个条件满足,才执行排除条件,即不接收流量包。

代码语言:javascript复制
<rule action='drop' direction='in' priority='400'>
  <tcp connlimit-above='1'/>
</rule>

connlimit-above

connlimit-above:Limiting Number of Connections 。进行连接数限制。

MAC协议

Attribute

Datatype

Semantics

srcmacaddr

MAC_ADDR

MAC address of sender

srcmacmask

MAC_MASK

Mask applied to MAC address of sender

dstmacaddr

MAC_ADDR

MAC address of destination

dstmacmask

MAC_MASK

Mask applied to MAC address of destination

protocolid

UINT16 (0x600-0xffff), STRING

Layer 3 protocol ID

comment (Since 0.8.5)

STRING

text with max. 256 characters

代码语言:javascript复制
<mac match='no' srcmacaddr='$MAC'/>

VLAN ARP/RARP

VLAN与ARP不进行介绍,不在常用选项。

IPV4

Attribute

Datatype

Semantics

srcmacaddr

MAC_ADDR

MAC address of sender

srcmacmask

MAC_MASK

Mask applied to MAC address of sender

dstmacaddr

MAC_ADDR

MAC address of destination

dstmacmask

MAC_MASK

Mask applied to MAC address of destination

srcipaddr

IP_ADDR

Source IP address

srcipmask

IP_MASK

Mask applied to source IP address

dstipaddr

IP_ADDR

Destination IP address

dstipmask

IP_MASK

Mask applied to destination IP address

protocol

UINT8, STRING

Layer 4 protocol identifier

srcportstart

UINT16

Start of range of valid source ports; requires protocol

srcportend

UINT16

End of range of valid source ports; requires protocol

dstportstart

UINT16

Start of range of valid destination ports; requires protocol

dstportend

UINT16

End of range of valid destination ports; requires protocol

dscp

UINT8 (0x0-0x3f, 0 - 63)

Differentiated Services Code Point

comment (Since 0.8.5)

STRING

text with max. 256 characters

IPV6

IPV6不进行介绍

TCP/UDP/SCTP

Attribute

Datatype

Semantics

srcmacaddr

MAC_ADDR

MAC address of sender

srcipaddr

IP_ADDR

Source IP address

srcipmask

IP_MASK

Mask applied to source IP address

dstipaddr

IP_ADDR

Destination IP address

dstipmask

IP_MASK

Mask applied to destination IP address

srcipfrom

IP_ADDR

Start of range of source IP address

srcipto

IP_ADDR

End of range of source IP address

dstipfrom

IP_ADDR

Start of range of destination IP address

dstipto

IP_ADDR

End of range of destination IP address

srcportstart

UINT16

Start of range of valid source ports

srcportend

UINT16

End of range of valid source ports

dstportstart

UINT16

Start of range of valid destination ports

dstportend

UINT16

End of range of valid destination ports

dscp

UINT8 (0x0-0x3f, 0 - 63)

Differentiated Services Code Point

comment (Since 0.8.5)

STRING

text with max. 256 characters

state (Since 0.8.5)

STRING

comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE

flags (Since 0.9.1)

STRING

TCP-only: format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL

ipset (Since 0.9.13)

STRING

The name of an IPSet managed outside of libvirt

ipsetflags (Since 0.9.13)

IPSETFLAGS

flags for the IPSet; requires ipset attribute

ICMP

Attribute

Datatype

Semantics

srcmacaddr

MAC_ADDR

MAC address of sender

srcmacmask

MAC_MASK

Mask applied to MAC address of sender

dstmacaddr

MAC_ADDR

MAC address of destination

dstmacmask

MAC_MASK

Mask applied to MAC address of destination

srcipaddr

IP_ADDR

Source IP address

srcipmask

IP_MASK

Mask applied to source IP address

dstipaddr

IP_ADDR

Destination IP address

dstipmask

IP_MASK

Mask applied to destination IP address

srcipfrom

IP_ADDR

Start of range of source IP address

srcipto

IP_ADDR

End of range of source IP address

dstipfrom

IP_ADDR

Start of range of destination IP address

dstipto

IP_ADDR

End of range of destination IP address

type

UINT16

ICMP type

code

UINT16

ICMP code

dscp

UINT8 (0x0-0x3f, 0 - 63)

Differentiated Services Code Point

comment (Since 0.8.5)

STRING

text with max. 256 characters

state (Since 0.8.5)

STRING

comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE

ipset (Since 0.9.13)

STRING

The name of an IPSet managed outside of libvirt

ipsetflags (Since 0.9.13)

IPSETFLAGS

flags for the IPSet; requires ipset attribute

其他规则不进行介绍。

**注意:**ip_mask填写"24"或者"255.255.255.0"均可,在define 的时候会进行格式化自动转换的。

2.3.4 常用规则样例
代码语言:javascript复制
<filter name='test-eth0'>
  <!-- reference the clean traffic filter to prevent
       MAC, IP and ARP spoofing. By not providing
       and IP address parameter, libvirt will detect the
       IP address the VM is using. -->
  <filterref filter='clean-traffic'/>

  <!-- enable TCP port 21 (ftp-control) to be reachable -->
  <rule action='accept' direction='in'>
    <tcp dstportstart='21'/>
  </rule>

  <!-- enable TCP port 20 for VM-initiated ftp data connection
       related to an existing ftp control connection -->
  <rule action='accept' direction='out'>
    <tcp srcportstart='20' state='RELATED,ESTABLISHED'/>
  </rule>

  <!-- accept all packets from client on the ftp data connection -->
  <rule action='accept' direction='in'>
    <tcp dstportstart='20' state='ESTABLISHED'/>
  </rule>

  <!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable -->
  <rule action='accept' direction='in'>
    <tcp dstportstart='22'/>
  </rule>

  <rule action='accept' direction='in'>
    <tcp dstportstart='80'/>
  </rule>

  <!-- enable general ICMP traffic to be initiated by the VM;
       this includes ping traffic -->
  <rule action='accept' direction='out'>
    <icmp/>
  </rule>

  <!-- enable outgoing DNS lookups using UDP -->
  <rule action='accept' direction='out'>
    <udp dstportstart='53'/>
  </rule>

  <!-- drop all other traffic -->
  <rule action='drop' direction='inout'>
    <all/>
  </rule>

</filter>
2.3.5 作者样例
代码语言:javascript复制
<filter name='rule' chain='root'>
  <uuid>4e82be8f-5d76-45a1-8446-xxxxxxxxxxx</uuid>
  <rule action='drop' direction='in' priority='200'/> 
  <rule action='accept' direction='in' priority='100'>  <!=获取入口出口>
    <tcp dstmacaddr='52:54:00:4b:aa:1f'/> <!= 获取本机MAC>
    <tcp dstportstart='24' dstportend='65536'/> <!= 获取端口范围>
    <tcp srcipaddr='172.22.222.222'/> <!=获取目标IP>
    <tcp srcipmask='0'/> <!= 获取掩码>
  </rule>
  <rule action='accept' direction='out' priority='100'>
    <tcp srcmacaddr='52:54:00:4b:aa:1f'/>
    <tcp srcportstart='1' srcportend='65535'>
    <tcp dstipaddr='172.22.222.222'/>
    <tcp dstipmask='0'/>
  </rule>
  <rule action='accept' direction='inout' priority='100'>
    <tcp srcmacaddr='52:54:00:4b:aa:1f'/>
    <tcp srcportstart='1' srcportend='65535'>
    <tcp dstipaddr='172.22.222.222'/>
    <tcp dstipmask='0'/>
  </rule>
</filter>

针对于TCP协议设置,其他协议类似。注意注释需要去掉

2.3.6其他信息

libvirt-nwfilter 默认In为黑名单out为白名单。

默认的xml路径在

代码语言:javascript复制
/etc/libvirt/nwfilter
#ls
allow-arp.xml            clean-traffic.xml        no-ip-multicast.xml      no-other-rarp-traffic.xml
allow-dhcp-server.xml    clean-traffic.xml_bak    no-ip-spoofing.xml       qemu-announce-self-rarp.xml
allow-dhcp.xml           no-arp-ip-spoofing.xml   no-mac-broadcast.xml     qemu-announce-self.xml
allow-incoming-ipv4.xml  no-arp-mac-spoofing.xml  no-mac-spoofing.xml      
allow-ipv4.xml           no-arp-spoofing.xml      no-other-l2-traffic.xml  

Network Filter API介绍

官网路径:https://libvirt.org/html/libvirt-libvirt-nwfilter.html#virNWFilterBindingCreateXML

官网一般为最新版本API接口,你需要看自己的支持什么接口,就需要在 '/usr/include/libvirt’查看

代码语言:javascript复制
libvirt-admin.h            libvirt-event.h      libvirt-lxc.h       libvirt-qemu.h     virterror.h
libvirt-common.h           libvirt.h            libvirt-network.h   libvirt-secret.h
libvirt-domain.h           libvirt-host.h       libvirt-nodedev.h   libvirt-storage.h
libvirt-domain-snapshot.h  libvirt-interface.h  libvirt-nwfilter.h  libvirt-stream.h

主要在 libvirt-nwfilter.h头文件。默认开发的时候,只要调用libvirt.h就可以。

libvirt.h内容如下:

代码语言:javascript复制
#ifndef __VIR_VIRLIB_H__
# define __VIR_VIRLIB_H__

# include <sys/types.h>

# ifdef __cplusplus
extern "C" {
# endif

# define __VIR_LIBVIRT_H_INCLUDES__
# include <libvirt/libvirt-common.h>
# include <libvirt/libvirt-host.h>
# include <libvirt/libvirt-domain.h>
# include <libvirt/libvirt-domain-snapshot.h>
# include <libvirt/libvirt-event.h>
# include <libvirt/libvirt-interface.h>
# include <libvirt/libvirt-network.h>
# include <libvirt/libvirt-nodedev.h>
# include <libvirt/libvirt-nwfilter.h>
# include <libvirt/libvirt-secret.h>
# include <libvirt/libvirt-storage.h>
# include <libvirt/libvirt-stream.h>
# undef __VIR_LIBVIRT_H_INCLUDES__

# ifdef __cplusplus
}
# endif

#endif /* __VIR_VIRLIB_H__ */

libvirt-nwfilter.h 主要接口如下

代码语言:javascript复制
#ifndef __VIR_LIBVIRT_NWFILTER_H__
# define __VIR_LIBVIRT_NWFILTER_H__

# ifndef __VIR_LIBVIRT_H_INCLUDES__
#  error "Don't include this file directly, only use libvirt/libvirt.h"
# endif

/**
 * virNWFilter:
 *
 * a virNWFilter is a private structure representing a network filter
 */
typedef struct _virNWFilter virNWFilter;

/**
 * virNWFilterPtr:
 *
 * a virNWFilterPtr is pointer to a virNWFilter private structure,
 * this is the type used to reference a network filter in the API.
 */
typedef virNWFilter *virNWFilterPtr;  
/*
 * List NWFilters
 */
int                     virConnectNumOfNWFilters (virConnectPtr conn);
int                     virConnectListNWFilters  (virConnectPtr conn,
                                                  char **const names,
                                                  int maxnames);
int                     virConnectListAllNWFilters(virConnectPtr conn,
                                                   virNWFilterPtr **filters,
                                                   unsigned int flags);
/*
 * Lookup nwfilter by name or uuid
 */
virNWFilterPtr          virNWFilterLookupByName       (virConnectPtr conn,
                                                       const char *name);
virNWFilterPtr          virNWFilterLookupByUUID       (virConnectPtr conn,
                                                       const unsigned char *uuid);
virNWFilterPtr          virNWFilterLookupByUUIDString (virConnectPtr conn,
/*
 * Define persistent nwfilter
 */
virNWFilterPtr          virNWFilterDefineXML    (virConnectPtr conn,
                                                 const char *xmlDesc);

/*
 * Delete persistent nwfilter
 */
int                     virNWFilterUndefine     (virNWFilterPtr nwfilter);

/*
 * NWFilter destroy/free
 */
int                     virNWFilterRef          (virNWFilterPtr nwfilter);
int                     virNWFilterFree         (virNWFilterPtr nwfilter);

/*
 * NWFilter information
 */
const char*             virNWFilterGetName       (virNWFilterPtr nwfilter);
int                     virNWFilterGetUUID       (virNWFilterPtr nwfilter,
                                                  unsigned char *uuid);
int                     virNWFilterGetUUIDString (virNWFilterPtr nwfilter,
                                                  char *buf);
char *                  virNWFilterGetXMLDesc    (virNWFilterPtr nwfilter,
                                                  unsigned int flags);

#endif /* __VIR_LIBVIRT_NWFILTER_H__ */

类似于命令行。在实际开发中,libvirt ,nwfilter接口定义主要使用:

代码语言:javascript复制
virNWFilterPtr          virNWFilterDefineXML    (virConnectPtr conn,const char *xmlDesc);

类似于nwfilter-define 命令。用来定义网络过滤器规则。

demo如下:

代码语言:javascript复制
static std::string in_rule(std::string mac, std::string protocol, std::string startPort, std::string endPort, std::string ip, std::string ipmask)
{
    std::string in_rule = std::string( 
                                      "<rule action='accept' direction='in' priority='100'>n"   
                                      std::string("<")  protocol   " dstmacaddr='"   mac  "'/>n"  
                                      "<"  protocol   " dstportstart='"   startPort "' dstportend='"   endPort  "'/>n"   
                                      "<"  protocol   " srcipaddr='"  ip  "'/>n"   
                                      "<"  protocol   " srcipmask='"  ipmask  "'/>n"  
                                      "</rule>n");
    return in_rule;
}
static std::string intout_rule(std::string mac, std::string protocol, std::string startPort, std::string endPort, std::string ip, std::string ipmask)
{
    std::string out_rule = std::string(
        "<rule action='accept' direction='inout' priority='100'>n"   
        std::string("<")  protocol   " srcmacaddr='"   mac  "'/>"  
        "<"  protocol   " srcportstart='"   startPort  "' srcportend='"   endPort  "'/>n"   
        "<"  protocol   " dstipaddr='"  ip  "'/>n"   
        "<"  protocol   " dstipmask='"  ipmask  "'/>n"  
        "</rule>n");
    return out_rule;
}

static std::string rule_xml(std::string uuid, std::list<std::string> list)
{
    std::string xmlHeader("<filter name='safe-rule' chain='root'>n <uuid>"   uuid  "</uuid>n");
    std::string xmlDeault("<rule action='drop' direction='in' priority='200'/>n");
    std::string xmlRule = "";
    for(auto it : list)
    {
        xmlRule  = it;
    }
    std::string xmlTail("</filter>n");

    return xmlHeader   xmlDeault   xmlRule   xmlTail;
}

函数调用如下:

代码语言:javascript复制
const char * nwxml = nwfilter_str::rule_xml(std::string("4e82be8f-5d76-45a1-8446-66a527f39115"),ruleList).c_str();
virNWFilterDefineXML(conn, nwxml);

其他的前置条件不进行说明。在之前libvirt-API获取guest-ip有详细说明。

在当前版本官网还有如下函数

代码语言:javascript复制
virNWFilterBindingPtr	virNWFilterBindingCreateXML	(virConnectPtr conn, const char * xml, unsigned int flags)

说明如下:

代码语言:javascript复制
Define a new network filter, based on an XML description similar to the one returned by virNWFilterGetXMLDesc(). This API may be used to associate a filter with a currently running guest that does not have a filter defined for a specific network port. Since the bindings are generally automatically managed by the hypervisor, using this command to define a filter for a network port and then starting the guest afterwards may prevent the guest from starting if it attempts to use the network port and finds a filter already defined.

能够直接绑定在运行的虚拟机,因为没有实际验证,根据官网说明,应该是能够直接与当前运行虚拟机绑定。不同于

代码语言:javascript复制
virNWFilterPtr	virNWFilterDefineXML	(virConnectPtr conn, const char * xmlDesc)

说明如下:

代码语言:javascript复制
Define a new network filter, based on an XML description similar to the one returned by virNWFilterGetXMLDesc()
virNWFilterFree should be used to free the resources after the nwfilter object is no longer needed.

上述函数virNWFilterDefineXML生效,前置条件是在虚拟机xml进行过相应的规则配置,才能够即时生效。而,virNWFilterBindingCreateXML

描述是绑定,应该是不需要进行前置条件,能够直接对当前运行虚拟机生效。但是是否能够绑定在指定虚拟机,还是待定,因为对外接口并未开放,在查资料的时候,有找到相关介绍,介绍如下:

链接:https://www.redhat.com/archives/libvir-list/2018-August/msg01407.html

函数介绍如下:

代码语言:javascript复制
 int virDomainConfNWFilterInstantiate(const char *vmname,
                                      const unsigned char *vmuuid,
                                      virDomainNetDefPtr net,
                                      bool ignoreExists,
                                      bool ignoreDeleted);

但是目前來看,函数接口并未对外暴露,留待以后进行相关设置了。

0 人点赞