The first is the libvirt that defines the network filtering rules:
Virsh Nwfilter-define
Add an XML file followed by defining or updating a network filtering rule from an XML file.
Virsh Nwfilter-dumpxml
Follow the name of a network filter rule to view the XML details for a network rule.
Virsh Nwfilter-edit
Add the name of a network filter rule, and edit a network rule.
Virsh nwfilter-list
Lists all network filtering rules that define success.
Virsh Nwfilter-undefine
After adding a name for the network filter rule, the network filtering rule should be eliminated.
Note: Defining a network filtering rule can ignore the state of the client and can take effect in time, even if the client is active.
Block XML file content when clients are using extranet:
<filter name= ' no-ip-inout ' chain= ' IPv4 ' > <uuid>fce8ae34-e69e-83bf-262e-30786c1f8072</uuid> <rule action= ' accept ' direction= ' out ' priority= ' ' > <ip srcipaddr= ' 192.168.x.0 ' dstipaddr= ' 255.255.255.255 ' protocol= ' udp ' srcportstart= ' ' srcportend= ' "dstportstart= '" dstportend= ' "/> </ rule> <rule action= ' accept ' direction= ' in ' priority= ' + ' > <ip protocol= ' UDP ' srcportstart= ' 67 ' Srcportend= ' dstportstart= ' dstportend= '/> </rule> <rule action= ' drop ' direction= ' Out ' priority= ' > <ip match= ' no ' dstipaddr= ' 192.168.x.0 ' dstipmask= ' 255.255.255.0 '/> </rule ></filter>
Drop.xml
XML file content that allows clients to use the extranet:
<filter name= ' no-ip-inout ' chain= ' IPv4 ' > <uuid>fce8ae34-e69e-83bf-262e-30786c1f8072</uuid> <rule action= ' accept ' direction= ' out ' priority= ' > </rule></filter>
Accept.xml
Linux and DHCP UDP-related ports are ports 67 and 68th, which define a rule with a priority of 100: Allows the source address to accept DHCP and UDP information, and can send UDP information, the destination address is the same. Define a rule with a priority of 200: Discards all packets sent to the network management. The priority can be obtained by obtaining the required information (such as the acquisition of a DHCP network) and restricting the virtual machine to surf the net, discarding packets sent out.
When the client is prevented from using the extranet:
Virsh Nwfilter-define Drop.xml
When enabling the client to use the extranet:
Virsh Nwfilter-define Accept.xml
When you want to cancel this network filtering rule:
Virsh Nwfilter-undefine No-ip-inout
Libvirt Network Filtering rules: Prohibit client (bridge mode) connection to Extranet