Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about what the libvirt network filtering rules are like, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Libvirt network filtering rules.

An example of a filter rule definition:

< filter name='no-ip-spoold'chain='ipv4' >

< uuid >

Fce8ae33-e69e-83bf-262e-30786c1f8072

< /uuid >

< rule action='drop' direction='out' priority='500' >

< ip match='no' srcipaddr='192.168.1.1'/ >

< /rule >

< filterref filter='no-mac-spoofing'/ >

< /filter >

Root element

< filter >

The main attributes of include "name" and "chain", and the child elements mainly include "

< uuid >

",

< filterref >

",

< rule >

"wait." The "name" attribute defines the name of the filter rule, the "chain" attribute defines the chain in which the filter resides, and the filter chain is used to organize the filter rules. Currently, the only chain available are root, ipv4, ipv6, arp, and rarp. Child elements "

< rule >

"define a rule."you can reference other defined filters directly. In this case, the rules match the" IP "protocol, so the filter is in the" IPV4 "chain.

In the XML definition, a filtering rule is a rule node, and the rule node has three main attributes:

"action": it can be "drop", which means discarding; "reject", which rejects but also generates an ICMP reject message; "accept" means that it is allowed to pass; "return" returns to the upper filter that called the filter to match; "continue" skips to the next specification to match. " Direction ": packet to direction, can be" in ", entry direction;" out ", exit direction;" inout ", both directions." Priority ": the lower the value, the higher the priority relative to the order of other rules, with values ranging from-1000 to 1000. If it defaults, it automatically assigns 500. statematch: the connection status matches. The default is' true', and you can choose 'false' to ignore the connection status.

When the filter rules are matched, all the conditions must be met at the same time, that is, logic and.

The protocol supported by the filtering rule, that is, the content under the "rule" tag (such as ip in the example above):

Mac

Srcmacaddr MAC_ADDR source MAC address

Srcmacmask MAC_MASK Source MAC address Mask

Dstmacaddr MAC_ADDR destination MAC address

Dstmacmask MAC_MASK destination MAC address mask

ID of protocolid STRING layer 3 protocol, which can be arp, rarp, ipv4, ipv6

Comment STRING

Vlan

Srcmacaddr MAC_ADDR source MAC address

Srcmacmask MAC_MASK Source MAC address Mask

Dstmacaddr MAC_ADDR destination MAC address

Dstmacmask MAC_MASK destination MAC address mask

Vlanid UINT16 (0x0-0xfff, 0-4095) VLANID

Layer 3 protocol ID encapsulated by encap-protocol String, which can be arp, ipv4, ipv6

Comment STRING

IPv4

Srcmacaddr MAC_ADDR source MAC address

Srcmacmask MAC_MASK Source MAC address Mask

Dstmacaddr MAC_ADDR destination MAC address

Dstmacmask MAC_MASK destination MAC address mask

Srcipaddr IP_ADDR source IP address

Srcipmask IP_MASK Source IP address Mask

Dstipaddr IP_ADDR destination IP address

Dstipmask IP_MASK destination IP address mask

Protocol UINT8, STRING layer 4 protocol to logo, which can be tcp,udp, udplite, esp, ah, icmp, igmp, sctp

The start value of the srcportstart UINT16 source port range

End value of the srcportend UINT16 source port range

The start value of the dstportstart UINT16 target port range

End value of the dstportend UINT16 destination port range

Dscp UINT8 (0x0-0x3f, 0-63) service differentiation code point

Comment STRING

TCP/UDP/SCTP

Srcmacaddr MAC_ADDR source MAC address

Srcipaddr IP_ADDR source IP address

Srcipmask IP_MASK Source IP address Mask

Dstipaddr IP_ADDR destination IP address

Dstipmask IP_MASK destination IP address mask

The start value of the srcipfrom IP_ADDR source IP address range

End value of the srcipto IP_ADDR source IP address range

The start value of the dstipfrom IP_ADDR destination IP address range

End value of the dstipto IP_ADDR destination IP address range

The start value of the srcportstart UINT16 source port range

End value of the srcportend UINT16 source port range

The start value of the dstportstart UINT16 target port range

End value of the dstportend UINT16 destination port range

Dscp UINT8 (0x0-0x3f, 0-63) service differentiation code point

Comment STRING

A comma-separated list of state STRING, which can be NEW,ESTABLISHED,RELATED,INVALID,NONE

Flags STRING applies only to TCP, a comma-separated list, which can be SYN,ACK,URG,PSH,FIN,RST,NONE,ALL

ICMP

The parameter of this class rule chain is ignored

Srcmacaddr MAC_ADDR source MAC address

Srcmacmask MAC_MASK Source MAC address Mask

Dstmacaddr MAC_ADDR destination MAC address

Dstmacmask MAC_MASK destination MAC address mask

Srcipaddr IP_ADDR source IP address

Srcipmask IP_MASK Source IP address Mask

Dstipaddr IP_ADDR destination IP address

Dstipmask IP_MASK destination IP address mask

The start value of the srcipfrom IP_ADDR source IP address range

End value of the srcipto IP_ADDR source IP address range

The start value of the dstipfrom IP_ADDR destination IP address range

End value of the dstipto IP_ADDR destination IP address range

Type UINT16 ICMP Typ

Code UINT16 ICMP code

Dscp UINT8 (0x0-0x3f, 0-63) service differentiation code point

Comment (Since 0.8.5) STRING

A comma-separated list of state STRING, which can be NEW,ESTABLISHED,RELATED,INVALID,NONE

IGMP, ESP, AH, UDPLITE, 'ALL'

The parameter of this class rule chain is ignored

Srcmacaddr MAC_ADDR source MAC address

Srcmacmask MAC_MASK Source MAC address Mask

Dstmacaddr MAC_ADDR destination MAC address

Dstmacmask MAC_MASK destination MAC address mask

Srcipaddr IP_ADDR source IP address

Srcipmask IP_MASK Source IP address Mask

Dstipaddr IP_ADDR destination IP address

Dstipmask IP_MASK destination IP address mask

The start value of the srcipfrom IP_ADDR source IP address range

End value of the srcipto IP_ADDR source IP address range

The start value of the dstipfrom IP_ADDR destination IP address range

End value of the dstipto IP_ADDR destination IP address range

Dscp UINT8 (0x0-0x3f, 0-63) service differentiation code point

Comment (Since 0.8.5) STRING

A comma-separated list of state STRING, which can be NEW,ESTABLISHED,RELATED,INVALID,NONE

After reading the above, do you have any further understanding of the libvirt network filtering rules? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.