libvirt-Network Filter
简介
对libvirt-nwfilter 的介主要讲,两个东西,一个是ebtables 。另一个就是它本身nwfilter。nwfilter主要基于ebtables进行开发或者说配置。其中的一些规则设置好之后,可以利用ebtables查看规则是否设置成功。
libvirt-nwfilter ,主要由libvirt提供的虚拟机网络管理,进行虚拟机群组的网络防火墙设置。
其目的在于可让系统管理员在host上通过一套抽象的标准化的配置方式实现对vm的网络数据包的过滤,可以准确的控制到每个vm的每块网卡上。同一个filter规则可以被不同的vm重复使用,当然也可以为每一个vm创建不同的filter规则。当nwfilter规则配置好之后,启动vm的时候libvirt会自动将配置规则转换为对应的iptables或者ebtables规则,加载到vm对应的网卡tap设备上。
- nwfilter
Network filtering XML为虚拟化系统管理员提供对了一种网络流量的过滤规则,系统管理员可以通过配置过滤参数,实 施和管理对虚拟机网络流量的接受和转发。由于过滤规则不能绕过直接进入虚拟机内,它使得一个filter对虚拟用户的访问控制具有强制性。 Network filtering子系统允许每一个虚拟机的网络过滤表可以被单独配置。我们可以在启动时配置虚拟机的访问控制过滤表,也可以在虚拟器运行时对虚拟机的规则进行修改。后者可以通过修改network filter XML的方式进行。 Libvirt允许多台虚拟机共用一个。当filter被修改时,所有运行的虚拟机都会自动更新filter的过滤规则。Network filtering XML部署在KVM Server上可以实现:虚拟网络隔离、入侵防护、批量管理等功能。Openstack的网络控制就是基于Network filter。
- ebtables
官方介绍:
代码语言:javascript复制The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. Advanced logging, MAC DNAT/SNAT and brouter facilities are also included.
The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.
The ebtables and arptables codebase is maintained by the netfilter developers, who were so kind to take over maintenance of the software. This website is kept mainly as a documentation reference.
主要用于linux桥的网络过滤,过滤规则基于链路层进行数据过滤。
命令介绍
命令查看主要还是基于virsh控制台。主要命令有5个,命令如下
代码语言:javascript复制virsh # nwfilter-
nwfilter-define nwfilter-dumpxml nwfilter-edit nwfilter-list nwfilter-undefine
- nwfilter-define
NAME
nwfilter-define - define or update a network filter from an XML file
SYNOPSIS
nwfilter-define <file>
DESCRIPTION
Define a new network filter or update an existing one.
OPTIONS
[--file] <string> file containing an XML network filter description
用法:
代码语言:javascript复制nwfilter-define path.xml
功能:类似于define。用来定义或者说导入/格式化xml文件,使之被虚拟机应用。
- nwfilter-dumpxml
NAME
nwfilter-dumpxml - network filter information in XML
SYNOPSIS
nwfilter-dumpxml <nwfilter>
DESCRIPTION
Output the network filter information as an XML dump to stdout.
OPTIONS
[--nwfilter] <string> network filter name or uuid
用法:
代码语言:javascript复制nwfilter-dumpxml option-name/uuid
功能:类似于cat命令,用来显示对应XML文件
代码语言:javascript复制 UUID Name
------------------------------------------------------------------
3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886 allow-arp
virsh # nwfilter-dumpxml allow-arp
<filter name='allow-arp' chain='arp' priority='-500'>
<uuid>3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886</uuid>
<rule action='accept' direction='inout' priority='500'/>
</filter>
virsh # nwfilter-dumpxml 3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886
<filter name='allow-arp' chain='arp' priority='-500'>
<uuid>3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886</uuid>
<rule action='accept' direction='inout' priority='500'/>
</filter>
- nwfilter-edit
NAME
nwfilter-edit - edit XML configuration for a network filter
SYNOPSIS
nwfilter-edit <nwfilter>
DESCRIPTION
Edit the XML configuration for a network filter.
OPTIONS
[--nwfilter] <string> network filter name or uuid
功能:主要用于编辑xml文件,和edit功能类似,编辑完成之后,可以立即生效。
- nwfilter-list
NAME
nwfilter-list - list network filters
SYNOPSIS
nwfilter-list
DESCRIPTION
Returns list of network filters.
功能:显示当前可使用的过滤器配置列表
代码语言:javascript复制virsh # nwfilter-list
UUID Name
------------------------------------------------------------------
3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886 allow-arp
675ab5ba-686e-4ce3-a1b7-a2210d81e7eb allow-dhcp
8b0620fa-f1d6-4002-a1c1-a65fee662187 allow-dhcp-server
587e3cf8-ef8c-434b-8983-cc8e169f145f allow-incoming-ipv4
b170b35e-a602-42df-847f-1e4ca10ad7aa allow-ipv4
5c0fe721-8071-465e-979b-f935beb938f4 clean-traffic
fbc91fd1-19b4-4833-8fbe-1d7f795003f3 no-arp-ip-spoofing
f91440d6-3b3a-4fec-8898-2b978f01e97e no-arp-mac-spoofing
87d78eeb-8289-40ab-9616-2f6180813bc6 no-arp-spoofing
e0a25fc7-ff32-4156-8a1c-bf90d100b173 no-ip-multicast
b1d1be20-cc33-44fe-ac1d-03796d529890 no-ip-spoofing
0b0d75e0-e12c-43b1-8062-c1bd58303600 no-mac-broadcast
03fccb6d-1576-4e47-93a2-382d378cd8b2 no-mac-spoofing
6dab6821-8caf-4794-9be8-d7ccb26639e6 no-other-l2-traffic
94985992-e597-4449-8c99-3d261c3d5c34 no-other-rarp-traffic
5d61fcbf-96a4-4c30-9c06-c853e14fa40a qemu-announce-self
780863fb-3afd-43b2-a624-8372b2d2a8cc qemu-announce-self-rarp
- nwfilter-undefine
NAME
nwfilter-undefine - undefine a network filter
SYNOPSIS
nwfilter-undefine <nwfilter>
DESCRIPTION
Undefine a given network filter.
OPTIONS
[--nwfilter] <string> network filter name or uuid
功能:与nwfilter-undefine 相反。删除定义,并且删除对应的xml文件
xml配置项介绍
官网xml相关介绍:https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoIP
1.虚拟机xml配置介绍
代码语言:javascript复制The network traffic filtering subsystem enables configuration of network traffic filtering rules on individual network interfaces that are configured for certain types of network configurations. Supported network types are
network
ethernet -- must be used in bridging mode
bridge
The interface XML is used to reference a top-level filter. In the following example, the interface description references the filter clean-traffic.
在虚拟机xml配置文件下,设备里边添加网络设备。注意一定使用 bridge 模式。
现在是未指定参数的配置,会自动所有配置IP,增加一定的开销。
代码语言:javascript复制<devices>
<interface type='bridge'>
<mac address='00:16:3e:5d:c7:9e'/>
<source bridge='br0'>
<filterref filter='clean-traffic'/>
</interface>
</devices>
增加参数的配置
代码语言:javascript复制<devices>
<interface type='bridge'>
<mac address='00:16:3e:5d:c7:9e'/>
<source bridge='br0'>
<filterref filter='clean-traffic'>
<parameter name='IP' value='10.0.0.1'/>
</filterref>
</interface>
</devices>
指定不开启自动识别。
代码语言:javascript复制<filterref filter='clean-traffic'>
<parameter name='CTRL_IP_LEARNING' value='none'/>
</filterref>
value可接受的参数值还有: any , dhcp ,none
其他属性如下表所示:本人没有进行相应的验证。
Variable Name | Semantics |
---|---|
MAC | The MAC address of the interface |
IP | The list of IP addresses in use by an interface |
IPV6 | Not currently implemented: the list of IPV6 addresses in use by an interface |
DHCPSERVER | The list of IP addresses of trusted DHCP servers |
DHCPSERVERV6 | Not currently implemented: The list of IPv6 addresses of trusted DHCP servers |
CTRL_IP_LEARNING | The choice of the IP address detection mode |
2.network filter xml配置介绍
2.1 Filtering chains
代码语言:javascript复制Libvirt's network filtering system automatically creates individual root chains for every virtual machine's network interface on which the user chooses to activate traffic filtering. The user may write filtering rules that are either directly instantiated in the root chain or may create protocol-specific filtering chains for efficient evaluation of protocol-specific rules
现在默认支持的规则链如下:
代码语言:javascript复制root mac stp vlan arp,rarp ipv4 ipv6
2.2 Filtering chain priorities
代码语言:javascript复制All chains are connected to the root chain. The order in which those chains are accessed is influenced by the priority of the chain. The following table shows the chains that can be assigned a priority and their default priorities.
规则优先级,主要用于防火墙校验的时候的规则顺序。
默认规则优先级如下:
Chain (prefix) | Default priority |
---|---|
stp | -810 |
mac | -800 |
vlan | -750 |
ipv4 | -700 |
ipv6 | -600 |
arp | -500 |
rarp | -400 |
网络过滤器xml的头尾就有了,如下样例所示:注意,UUID与name绑定,且全局唯一。
代码语言:javascript复制<filter name='no-arp-spoofing' chain='arp' priority='-500'>
<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
</filter>
2.3 过滤器规则
demo:
代码语言:javascript复制 <rule action='drop' direction='out' priority='500'>
<ip match='no' srcipaddr='$IP'/>
</rule>
2.3.1 规则头
官网对对应字段的解释如下。
代码语言:javascript复制<rule action='drop' direction='out' priority='500'>
- action
action -- mandatory; must either be drop (matching the rule silently discards the packet with no further analysis), reject (matching the rule generates an ICMP reject message with no further analysis) (since 0.9.0), accept (matching the rule accepts the packet with no further analysis), return (matching the rule passes this filter, but returns control to the calling filter for further analysis) (since 0.9.7), or continue (matching the rule goes on to the next rule for further analysis) (since 0.9.7).
action 对应的值如下: drop,拒绝访问;reject,拒绝访问,并返回对应的包;accept,接收网络流量信息;return;continue;
- direction
direction -- mandatory; must either be in, out or inout if the rule is for incoming, outgoing or incoming-and-outgoing traffic
- priority
priority -- optional; the priority of the rule controls the order in which the rule will be instantiated relative to other rules. Rules with lower value will be instantiated before rules with higher values. Valid values are in the range of 0 to 1000. Since 0.9.8 this has been extended to cover the range of -1000 to 1000. If this attribute is not provided, priority 500 will automatically be assigned.
Note that filtering rules in the root chain are sorted with filters connected to the root chain following their priorities. This allows to interleave filtering rules with access to filter chains. (See also section on filtering chain priorities .)
- statematch
statematch -- optional; possible values are '0' or 'false' to turn the underlying connection state matching off; default is 'true'
Also read the section on advanced configuration topics.
statematch – 状态匹配,默认为true ,并不需要进行相应的设置。
2.3.2 规则内容
- 支持规则
MAC/VLAN/STP/(ARP/RARP)/IPV4/IPV6/(TCP/UDP/SCTP)/ICMP/(IGMP.ESP.AH.UDPLITE.‘ALL’)/TPV6/ICMPV6/ESP.AH.UDPLITE.'ALL’over IPV6
- 规则字段
<rule action='drop' direction='in'>
<protocol match='no' attribute1='value1' attribute2='value2'/>
<protocol attribute3='value3'/>
</rule>
match 是否匹配。用于规则的例外排除,排除额外选项
执行条件:
代码语言:javascript复制Rules perform a logical AND evaluation on all values of the given protocol attributes. Thus, if a single attribute's value does not match the one given in the rule, the whole rule will be skipped during evaluation. Therefore, in the above example incoming traffic will only be dropped if the protocol property attribute1 does not match value1 AND the protocol property attribute2 does not match value2 AND the protocol property attribute3 matches value3.
value1和value2是与的条件,两个条件满足,才执行排除条件,即不接收流量包。
代码语言:javascript复制<rule action='drop' direction='in' priority='400'>
<tcp connlimit-above='1'/>
</rule>
connlimit-above
connlimit-above:Limiting Number of Connections 。进行连接数限制。
MAC协议
Attribute | Datatype | Semantics |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
dstmacaddr | MAC_ADDR | MAC address of destination |
dstmacmask | MAC_MASK | Mask applied to MAC address of destination |
protocolid | UINT16 (0x600-0xffff), STRING | Layer 3 protocol ID |
comment (Since 0.8.5) | STRING | text with max. 256 characters |
<mac match='no' srcmacaddr='$MAC'/>
VLAN ARP/RARP
VLAN与ARP不进行介绍,不在常用选项。
IPV4
Attribute | Datatype | Semantics |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
dstmacaddr | MAC_ADDR | MAC address of destination |
dstmacmask | MAC_MASK | Mask applied to MAC address of destination |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
protocol | UINT8, STRING | Layer 4 protocol identifier |
srcportstart | UINT16 | Start of range of valid source ports; requires protocol |
srcportend | UINT16 | End of range of valid source ports; requires protocol |
dstportstart | UINT16 | Start of range of valid destination ports; requires protocol |
dstportend | UINT16 | End of range of valid destination ports; requires protocol |
dscp | UINT8 (0x0-0x3f, 0 - 63) | Differentiated Services Code Point |
comment (Since 0.8.5) | STRING | text with max. 256 characters |
IPV6
IPV6不进行介绍
TCP/UDP/SCTP
Attribute | Datatype | Semantics |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
srcipfrom | IP_ADDR | Start of range of source IP address |
srcipto | IP_ADDR | End of range of source IP address |
dstipfrom | IP_ADDR | Start of range of destination IP address |
dstipto | IP_ADDR | End of range of destination IP address |
srcportstart | UINT16 | Start of range of valid source ports |
srcportend | UINT16 | End of range of valid source ports |
dstportstart | UINT16 | Start of range of valid destination ports |
dstportend | UINT16 | End of range of valid destination ports |
dscp | UINT8 (0x0-0x3f, 0 - 63) | Differentiated Services Code Point |
comment (Since 0.8.5) | STRING | text with max. 256 characters |
state (Since 0.8.5) | STRING | comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE |
flags (Since 0.9.1) | STRING | TCP-only: format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL |
ipset (Since 0.9.13) | STRING | The name of an IPSet managed outside of libvirt |
ipsetflags (Since 0.9.13) | IPSETFLAGS | flags for the IPSet; requires ipset attribute |
ICMP
Attribute | Datatype | Semantics |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
dstmacaddr | MAC_ADDR | MAC address of destination |
dstmacmask | MAC_MASK | Mask applied to MAC address of destination |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
srcipfrom | IP_ADDR | Start of range of source IP address |
srcipto | IP_ADDR | End of range of source IP address |
dstipfrom | IP_ADDR | Start of range of destination IP address |
dstipto | IP_ADDR | End of range of destination IP address |
type | UINT16 | ICMP type |
code | UINT16 | ICMP code |
dscp | UINT8 (0x0-0x3f, 0 - 63) | Differentiated Services Code Point |
comment (Since 0.8.5) | STRING | text with max. 256 characters |
state (Since 0.8.5) | STRING | comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE |
ipset (Since 0.9.13) | STRING | The name of an IPSet managed outside of libvirt |
ipsetflags (Since 0.9.13) | IPSETFLAGS | flags for the IPSet; requires ipset attribute |
其他规则不进行介绍。
**注意:**ip_mask填写"24"或者"255.255.255.0"均可,在define 的时候会进行格式化自动转换的。
2.3.4 常用规则样例
代码语言:javascript复制<filter name='test-eth0'>
<!-- reference the clean traffic filter to prevent
MAC, IP and ARP spoofing. By not providing
and IP address parameter, libvirt will detect the
IP address the VM is using. -->
<filterref filter='clean-traffic'/>
<!-- enable TCP port 21 (ftp-control) to be reachable -->
<rule action='accept' direction='in'>
<tcp dstportstart='21'/>
</rule>
<!-- enable TCP port 20 for VM-initiated ftp data connection
related to an existing ftp control connection -->
<rule action='accept' direction='out'>
<tcp srcportstart='20' state='RELATED,ESTABLISHED'/>
</rule>
<!-- accept all packets from client on the ftp data connection -->
<rule action='accept' direction='in'>
<tcp dstportstart='20' state='ESTABLISHED'/>
</rule>
<!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable -->
<rule action='accept' direction='in'>
<tcp dstportstart='22'/>
</rule>
<rule action='accept' direction='in'>
<tcp dstportstart='80'/>
</rule>
<!-- enable general ICMP traffic to be initiated by the VM;
this includes ping traffic -->
<rule action='accept' direction='out'>
<icmp/>
</rule>
<!-- enable outgoing DNS lookups using UDP -->
<rule action='accept' direction='out'>
<udp dstportstart='53'/>
</rule>
<!-- drop all other traffic -->
<rule action='drop' direction='inout'>
<all/>
</rule>
</filter>
2.3.5 作者样例
代码语言:javascript复制<filter name='rule' chain='root'>
<uuid>4e82be8f-5d76-45a1-8446-xxxxxxxxxxx</uuid>
<rule action='drop' direction='in' priority='200'/>
<rule action='accept' direction='in' priority='100'> <!=获取入口出口>
<tcp dstmacaddr='52:54:00:4b:aa:1f'/> <!= 获取本机MAC>
<tcp dstportstart='24' dstportend='65536'/> <!= 获取端口范围>
<tcp srcipaddr='172.22.222.222'/> <!=获取目标IP>
<tcp srcipmask='0'/> <!= 获取掩码>
</rule>
<rule action='accept' direction='out' priority='100'>
<tcp srcmacaddr='52:54:00:4b:aa:1f'/>
<tcp srcportstart='1' srcportend='65535'>
<tcp dstipaddr='172.22.222.222'/>
<tcp dstipmask='0'/>
</rule>
<rule action='accept' direction='inout' priority='100'>
<tcp srcmacaddr='52:54:00:4b:aa:1f'/>
<tcp srcportstart='1' srcportend='65535'>
<tcp dstipaddr='172.22.222.222'/>
<tcp dstipmask='0'/>
</rule>
</filter>
针对于TCP协议设置,其他协议类似。注意注释需要去掉
2.3.6其他信息
libvirt-nwfilter 默认In为黑名单out为白名单。
默认的xml路径在
代码语言:javascript复制/etc/libvirt/nwfilter
#ls
allow-arp.xml clean-traffic.xml no-ip-multicast.xml no-other-rarp-traffic.xml
allow-dhcp-server.xml clean-traffic.xml_bak no-ip-spoofing.xml qemu-announce-self-rarp.xml
allow-dhcp.xml no-arp-ip-spoofing.xml no-mac-broadcast.xml qemu-announce-self.xml
allow-incoming-ipv4.xml no-arp-mac-spoofing.xml no-mac-spoofing.xml
allow-ipv4.xml no-arp-spoofing.xml no-other-l2-traffic.xml
Network Filter API介绍
官网路径:https://libvirt.org/html/libvirt-libvirt-nwfilter.html#virNWFilterBindingCreateXML
官网一般为最新版本API接口,你需要看自己的支持什么接口,就需要在 '/usr/include/libvirt’查看
代码语言:javascript复制libvirt-admin.h libvirt-event.h libvirt-lxc.h libvirt-qemu.h virterror.h
libvirt-common.h libvirt.h libvirt-network.h libvirt-secret.h
libvirt-domain.h libvirt-host.h libvirt-nodedev.h libvirt-storage.h
libvirt-domain-snapshot.h libvirt-interface.h libvirt-nwfilter.h libvirt-stream.h
主要在 libvirt-nwfilter.h头文件。默认开发的时候,只要调用libvirt.h就可以。
代码语言:javascript复制libvirt.h内容如下:
#ifndef __VIR_VIRLIB_H__
# define __VIR_VIRLIB_H__
# include <sys/types.h>
# ifdef __cplusplus
extern "C" {
# endif
# define __VIR_LIBVIRT_H_INCLUDES__
# include <libvirt/libvirt-common.h>
# include <libvirt/libvirt-host.h>
# include <libvirt/libvirt-domain.h>
# include <libvirt/libvirt-domain-snapshot.h>
# include <libvirt/libvirt-event.h>
# include <libvirt/libvirt-interface.h>
# include <libvirt/libvirt-network.h>
# include <libvirt/libvirt-nodedev.h>
# include <libvirt/libvirt-nwfilter.h>
# include <libvirt/libvirt-secret.h>
# include <libvirt/libvirt-storage.h>
# include <libvirt/libvirt-stream.h>
# undef __VIR_LIBVIRT_H_INCLUDES__
# ifdef __cplusplus
}
# endif
#endif /* __VIR_VIRLIB_H__ */
代码语言:javascript复制libvirt-nwfilter.h 主要接口如下
#ifndef __VIR_LIBVIRT_NWFILTER_H__
# define __VIR_LIBVIRT_NWFILTER_H__
# ifndef __VIR_LIBVIRT_H_INCLUDES__
# error "Don't include this file directly, only use libvirt/libvirt.h"
# endif
/**
* virNWFilter:
*
* a virNWFilter is a private structure representing a network filter
*/
typedef struct _virNWFilter virNWFilter;
/**
* virNWFilterPtr:
*
* a virNWFilterPtr is pointer to a virNWFilter private structure,
* this is the type used to reference a network filter in the API.
*/
typedef virNWFilter *virNWFilterPtr;
/*
* List NWFilters
*/
int virConnectNumOfNWFilters (virConnectPtr conn);
int virConnectListNWFilters (virConnectPtr conn,
char **const names,
int maxnames);
int virConnectListAllNWFilters(virConnectPtr conn,
virNWFilterPtr **filters,
unsigned int flags);
/*
* Lookup nwfilter by name or uuid
*/
virNWFilterPtr virNWFilterLookupByName (virConnectPtr conn,
const char *name);
virNWFilterPtr virNWFilterLookupByUUID (virConnectPtr conn,
const unsigned char *uuid);
virNWFilterPtr virNWFilterLookupByUUIDString (virConnectPtr conn,
/*
* Define persistent nwfilter
*/
virNWFilterPtr virNWFilterDefineXML (virConnectPtr conn,
const char *xmlDesc);
/*
* Delete persistent nwfilter
*/
int virNWFilterUndefine (virNWFilterPtr nwfilter);
/*
* NWFilter destroy/free
*/
int virNWFilterRef (virNWFilterPtr nwfilter);
int virNWFilterFree (virNWFilterPtr nwfilter);
/*
* NWFilter information
*/
const char* virNWFilterGetName (virNWFilterPtr nwfilter);
int virNWFilterGetUUID (virNWFilterPtr nwfilter,
unsigned char *uuid);
int virNWFilterGetUUIDString (virNWFilterPtr nwfilter,
char *buf);
char * virNWFilterGetXMLDesc (virNWFilterPtr nwfilter,
unsigned int flags);
#endif /* __VIR_LIBVIRT_NWFILTER_H__ */
类似于命令行。在实际开发中,libvirt ,nwfilter接口定义主要使用:
代码语言:javascript复制virNWFilterPtr virNWFilterDefineXML (virConnectPtr conn,const char *xmlDesc);
类似于nwfilter-define 命令。用来定义网络过滤器规则。
demo如下:
代码语言:javascript复制static std::string in_rule(std::string mac, std::string protocol, std::string startPort, std::string endPort, std::string ip, std::string ipmask)
{
std::string in_rule = std::string(
"<rule action='accept' direction='in' priority='100'>n"
std::string("<") protocol " dstmacaddr='" mac "'/>n"
"<" protocol " dstportstart='" startPort "' dstportend='" endPort "'/>n"
"<" protocol " srcipaddr='" ip "'/>n"
"<" protocol " srcipmask='" ipmask "'/>n"
"</rule>n");
return in_rule;
}
static std::string intout_rule(std::string mac, std::string protocol, std::string startPort, std::string endPort, std::string ip, std::string ipmask)
{
std::string out_rule = std::string(
"<rule action='accept' direction='inout' priority='100'>n"
std::string("<") protocol " srcmacaddr='" mac "'/>"
"<" protocol " srcportstart='" startPort "' srcportend='" endPort "'/>n"
"<" protocol " dstipaddr='" ip "'/>n"
"<" protocol " dstipmask='" ipmask "'/>n"
"</rule>n");
return out_rule;
}
static std::string rule_xml(std::string uuid, std::list<std::string> list)
{
std::string xmlHeader("<filter name='safe-rule' chain='root'>n <uuid>" uuid "</uuid>n");
std::string xmlDeault("<rule action='drop' direction='in' priority='200'/>n");
std::string xmlRule = "";
for(auto it : list)
{
xmlRule = it;
}
std::string xmlTail("</filter>n");
return xmlHeader xmlDeault xmlRule xmlTail;
}
函数调用如下:
代码语言:javascript复制const char * nwxml = nwfilter_str::rule_xml(std::string("4e82be8f-5d76-45a1-8446-66a527f39115"),ruleList).c_str();
virNWFilterDefineXML(conn, nwxml);
其他的前置条件不进行说明。在之前libvirt-API获取guest-ip有详细说明。
在当前版本官网还有如下函数
代码语言:javascript复制virNWFilterBindingPtr virNWFilterBindingCreateXML (virConnectPtr conn, const char * xml, unsigned int flags)
说明如下:
代码语言:javascript复制Define a new network filter, based on an XML description similar to the one returned by virNWFilterGetXMLDesc(). This API may be used to associate a filter with a currently running guest that does not have a filter defined for a specific network port. Since the bindings are generally automatically managed by the hypervisor, using this command to define a filter for a network port and then starting the guest afterwards may prevent the guest from starting if it attempts to use the network port and finds a filter already defined.
能够直接绑定在运行的虚拟机,因为没有实际验证,根据官网说明,应该是能够直接与当前运行虚拟机绑定。不同于
代码语言:javascript复制virNWFilterPtr virNWFilterDefineXML (virConnectPtr conn, const char * xmlDesc)
说明如下:
代码语言:javascript复制Define a new network filter, based on an XML description similar to the one returned by virNWFilterGetXMLDesc()
virNWFilterFree should be used to free the resources after the nwfilter object is no longer needed.
上述函数virNWFilterDefineXML生效,前置条件是在虚拟机xml进行过相应的规则配置,才能够即时生效。而,virNWFilterBindingCreateXML
描述是绑定,应该是不需要进行前置条件,能够直接对当前运行虚拟机生效。但是是否能够绑定在指定虚拟机,还是待定,因为对外接口并未开放,在查资料的时候,有找到相关介绍,介绍如下:
链接:https://www.redhat.com/archives/libvir-list/2018-August/msg01407.html
函数介绍如下:
代码语言:javascript复制 int virDomainConfNWFilterInstantiate(const char *vmname,
const unsigned char *vmuuid,
virDomainNetDefPtr net,
bool ignoreExists,
bool ignoreDeleted);
但是目前來看,函数接口并未对外暴露,留待以后进行相关设置了。