libvirt-Network Filter

简介

对libvirt-nwfilter 的介主要讲，两个东西，一个是ebtables 。另一个就是它本身nwfilter。nwfilter主要基于ebtables进行开发或者说配置。其中的一些规则设置好之后，可以利用ebtables查看规则是否设置成功。

​ libvirt-nwfilter ，主要由libvirt提供的虚拟机网络管理，进行虚拟机群组的网络防火墙设置。

​ 其目的在于可让系统管理员在host上通过一套抽象的标准化的配置方式实现对vm的网络数据包的过滤，可以准确的控制到每个vm的每块网卡上。同一个filter规则可以被不同的vm重复使用，当然也可以为每一个vm创建不同的filter规则。当nwfilter规则配置好之后，启动vm的时候libvirt会自动将配置规则转换为对应的iptables或者ebtables规则，加载到vm对应的网卡tap设备上。

• nwfilter

Network filtering XML为虚拟化系统管理员提供对了一种网络流量的过滤规则，系统管理员可以通过配置过滤参数，实 施和管理对虚拟机网络流量的接受和转发。由于过滤规则不能绕过直接进入虚拟机内，它使得一个filter对虚拟用户的访问控制具有强制性。 Network filtering子系统允许每一个虚拟机的网络过滤表可以被单独配置。我们可以在启动时配置虚拟机的访问控制过滤表，也可以在虚拟器运行时对虚拟机的规则进行修改。后者可以通过修改network filter XML的方式进行。 Libvirt允许多台虚拟机共用一个。当filter被修改时，所有运行的虚拟机都会自动更新filter的过滤规则。Network filtering XML部署在KVM Server上可以实现：虚拟网络隔离、入侵防护、批量管理等功能。Openstack的网络控制就是基于Network filter。

  

 

  
1
 

• ebtables

官方介绍：

The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. Advanced logging, MAC DNAT/SNAT and brouter facilities are also included.

The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.

The ebtables and arptables codebase is maintained by the netfilter developers, who were so kind to take over maintenance of the software. This website is kept mainly as a documentation reference.

  

 

  
1
  
2
  
3
  
4
  
5
 

主要用于linux桥的网络过滤，过滤规则基于链路层进行数据过滤。

命令介绍

命令查看主要还是基于virsh控制台。主要命令有5个，命令如下

virsh # nwfilter-
nwfilter-define nwfilter-dumpxml   nwfilter-edit nwfilter-list nwfilter-undefine

  

 

  
1
  
2
 

• nwfilter-define

NAME nwfilter-define - define or update a network filter from an XML file
SYNOPSIS
	nwfilter-define <file>
DESCRIPTION
	Define a new network filter or update an existing one.
OPTIONS
	[--file] <string>  file containing an XML network filter description

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
 

用法：

nwfilter-define path.xml

  

 

  
1
 

功能：类似于define。用来定义或者说导入/格式化xml文件，使之被虚拟机应用。

• nwfilter-dumpxml

NAME
	nwfilter-dumpxml - network filter information in XML
SYNOPSIS
	nwfilter-dumpxml <nwfilter>
DESCRIPTION
	Output the network filter information as an XML dump to stdout.
OPTIONS
	[--nwfilter] <string>  network filter name or uuid

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
 

用法：

nwfilter-dumpxml option-name/uuid

  

 

  
1
 

功能：类似于cat命令，用来显示对应XML文件

 UUID Name ------------------------------------------------------------------
 3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886  allow-arp virsh # nwfilter-dumpxml allow-arp
<filter name='allow-arp' chain='arp' priority='-500'>
  <uuid>3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886</uuid>
  <rule action='accept' direction='inout' priority='500'/>
</filter>

virsh # nwfilter-dumpxml 3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886
<filter name='allow-arp' chain='arp' priority='-500'>
  <uuid>3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886</uuid>
  <rule action='accept' direction='inout' priority='500'/>
</filter>

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
 

• nwfilter-edit

NAME
	nwfilter-edit - edit XML configuration for a network filter
SYNOPSIS
	nwfilter-edit <nwfilter>
DESCRIPTION
	Edit the XML configuration for a network filter.
OPTIONS
	[--nwfilter] <string>  network filter name or uuid

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
 

功能：主要用于编辑xml文件，和edit功能类似，编辑完成之后，可以立即生效。

• nwfilter-list

  NAME nwfilter-list - list network filters SYNOPSIS nwfilter-list DESCRIPTION Returns list of network filters.

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
 

功能：显示当前可使用的过滤器配置列表

virsh # nwfilter-list
 UUID Name ------------------------------------------------------------------
 3a6d8a6c-ba20-4ff4-96b5-6f3b0d88f886  allow-arp 675ab5ba-686e-4ce3-a1b7-a2210d81e7eb  allow-dhcp 8b0620fa-f1d6-4002-a1c1-a65fee662187  allow-dhcp-server 587e3cf8-ef8c-434b-8983-cc8e169f145f  allow-incoming-ipv4 
 b170b35e-a602-42df-847f-1e4ca10ad7aa  allow-ipv4 5c0fe721-8071-465e-979b-f935beb938f4  clean-traffic fbc91fd1-19b4-4833-8fbe-1d7f795003f3  no-arp-ip-spoofing f91440d6-3b3a-4fec-8898-2b978f01e97e  no-arp-mac-spoofing 
 87d78eeb-8289-40ab-9616-2f6180813bc6  no-arp-spoofing e0a25fc7-ff32-4156-8a1c-bf90d100b173  no-ip-multicast b1d1be20-cc33-44fe-ac1d-03796d529890  no-ip-spoofing 0b0d75e0-e12c-43b1-8062-c1bd58303600  no-mac-broadcast 03fccb6d-1576-4e47-93a2-382d378cd8b2  no-mac-spoofing 6dab6821-8caf-4794-9be8-d7ccb26639e6  no-other-l2-traffic 
 94985992-e597-4449-8c99-3d261c3d5c34  no-other-rarp-traffic
 5d61fcbf-96a4-4c30-9c06-c853e14fa40a  qemu-announce-self 780863fb-3afd-43b2-a624-8372b2d2a8cc  qemu-announce-self-rarp

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
  
16
  
17
  
18
  
19
  
20
 

• nwfilter-undefine

  NAME nwfilter-undefine - undefine a network filter
  SYNOPSIS nwfilter-undefine <nwfilter>
  DESCRIPTION Undefine a given network filter.
  OPTIONS [--nwfilter] <string>  network filter name or uuid

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
 

功能：与nwfilter-undefine 相反。删除定义，并且删除对应的xml文件

xml配置项介绍

官网xml相关介绍：https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoIP

1.虚拟机xml配置介绍

The network traffic filtering subsystem enables configuration of network traffic filtering rules on individual network interfaces that are configured for certain types of network configurations. Supported network types are
	network
	ethernet -- must be used in bridging mode
	bridge
The interface XML is used to reference a top-level filter. In the following example, the interface description references the filter clean-traffic.

  

 

  
1
  
2
  
3
  
4
  
5
 

在虚拟机xml配置文件下，设备里边添加网络设备。注意一定使用 bridge 模式。

现在是未指定参数的配置，会自动所有配置IP，增加一定的开销。

<devices>
  <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <source bridge='br0'> <filterref filter='clean-traffic'/>
  </interface>
</devices>

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
 

增加参数的配置

<devices>
  <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <source bridge='br0'> <filterref filter='clean-traffic'> <parameter name='IP' value='10.0.0.1'/> </filterref>
  </interface>
</devices>

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
 

指定不开启自动识别。

<filterref filter='clean-traffic'> <parameter name='CTRL_IP_LEARNING' value='none'/>
</filterref>

  

 

  
1
  
2
  
3
 

value可接受的参数值还有： any , dhcp ，none

其他属性如下表所示：本人没有进行相应的验证。

2.network filter xml配置介绍

2.1 Filtering chains

Libvirt's network filtering system automatically creates individual root chains for every virtual machine's network interface on which the user chooses to activate traffic filtering. The user may write filtering rules that are either directly instantiated in the root chain or may create protocol-specific filtering chains for efficient evaluation of protocol-specific rules

  

 

  
1
 

现在默认支持的规则链如下：

root mac stp vlan arp,rarp ipv4 ipv6

  

 

  
1
 

2.2 Filtering chain priorities

All chains are connected to the root chain. The order in which those chains are accessed is influenced by the priority of the chain. The following table shows the chains that can be assigned a priority and their default priorities.

  

 

  
1
 

规则优先级，主要用于防火墙校验的时候的规则顺序。

默认规则优先级如下：

网络过滤器xml的头尾就有了，如下样例所示：注意，UUID与name绑定，且全局唯一。

<filter name='no-arp-spoofing' chain='arp' priority='-500'> <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
</filter>

  

 

  
1
  
2
  
3
 

2.3 过滤器规则

demo:

  <rule action='drop' direction='out' priority='500'> <ip match='no' srcipaddr='$IP'/>
  </rule>

  

 

  
1
  
2
  
3
 

2.3.1 规则头

官网对对应字段的解释如下。

<rule action='drop' direction='out' priority='500'>

  

 

  
1
 

• action

action -- mandatory; must either be drop (matching the rule silently discards the packet with no further analysis), reject (matching the rule generates an ICMP reject message with no further analysis) (since 0.9.0), accept (matching the rule accepts the packet with no further analysis), return (matching the rule passes this filter, but returns control to the calling filter for further analysis) (since 0.9.7), or continue (matching the rule goes on to the next rule for further analysis) (since 0.9.7).

  

 

  
1
 

action 对应的值如下： drop，拒绝访问；reject,拒绝访问，并返回对应的包；accept，接收网络流量信息；return；continue;

• direction

direction -- mandatory; must either be in, out or inout if the rule is for incoming, outgoing or incoming-and-outgoing traffic

  

 

  
1
 

• priority

priority -- optional; the priority of the rule controls the order in which the rule will be instantiated relative to other rules. Rules with lower value will be instantiated before rules with higher values. Valid values are in the range of 0 to 1000. Since 0.9.8 this has been extended to cover the range of -1000 to 1000. If this attribute is not provided, priority 500 will automatically be assigned. 
Note that filtering rules in the root chain are sorted with filters connected to the root chain following their priorities. This allows to interleave filtering rules with access to filter chains. (See also section on filtering chain priorities .)

  

 

  
1
  
2
 

• statematch

statematch -- optional; possible values are '0' or 'false' to turn the underlying connection state matching off; default is 'true' 
Also read the section on advanced configuration topics.

  

 

  
1
  
2
 

statematch – 状态匹配，默认为true ，并不需要进行相应的设置。

2.3.2 规则内容

• 支持规则

MAC/VLAN/STP/(ARP/RARP)/IPV4/IPV6/(TCP/UDP/SCTP)/ICMP/(IGMP.ESP.AH.UDPLITE.‘ALL’)/TPV6/ICMPV6/ESP.AH.UDPLITE.'ALL’over IPV6

• 规则字段

<rule action='drop' direction='in'>
  <protocol match='no' attribute1='value1' attribute2='value2'/>
  <protocol attribute3='value3'/>
</rule>

  

 

  
1
  
2
  
3
  
4
 

match 是否匹配。用于规则的例外排除，排除额外选项

执行条件：

Rules perform a logical AND evaluation on all values of the given protocol attributes. Thus, if a single attribute's value does not match the one given in the rule, the whole rule will be skipped during evaluation. Therefore, in the above example incoming traffic will only be dropped if the protocol property attribute1 does not match value1 AND the protocol property attribute2 does not match value2 AND the protocol property attribute3 matches value3. 

  

 

  
1
 

value1和value2是与的条件，两个条件满足，才执行排除条件，即不接收流量包。

<rule action='drop' direction='in' priority='400'>
  <tcp connlimit-above='1'/>
</rule>

  

 

  
1
  
2
  
3
 

connlimit-above

connlimit-above：Limiting Number of Connections 。进行连接数限制。

MAC协议

<mac match='no' srcmacaddr='$MAC'/>

  

 

  
1
 

VLAN

ARP/RARP

VLAN与ARP不进行介绍，不在常用选项。

IPV4

IPV6

IPV6不进行介绍

TCP/UDP/SCTP

ICMP

其他规则不进行介绍。

**注意：**ip_mask填写"24"或者"255.255.255.0"均可，在define 的时候会进行格式化自动转换的。

2.3.4 常用规则样例

<filter name='test-eth0'>
  <!-- reference the clean traffic filter to prevent MAC, IP and ARP spoofing. By not providing and IP address parameter, libvirt will detect the IP address the VM is using. -->
  <filterref filter='clean-traffic'/> <!-- enable TCP port 21 (ftp-control) to be reachable -->
  <rule action='accept' direction='in'> <tcp dstportstart='21'/>
  </rule> <!-- enable TCP port 20 for VM-initiated ftp data connection related to an existing ftp control connection -->
  <rule action='accept' direction='out'> <tcp srcportstart='20' state='RELATED,ESTABLISHED'/>
  </rule> <!-- accept all packets from client on the ftp data connection -->
  <rule action='accept' direction='in'> <tcp dstportstart='20' state='ESTABLISHED'/>
  </rule> <!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable -->
  <rule action='accept' direction='in'> <tcp dstportstart='22'/>
  </rule> <rule action='accept' direction='in'> <tcp dstportstart='80'/>
  </rule> <!-- enable general ICMP traffic to be initiated by the VM; this includes ping traffic -->
  <rule action='accept' direction='out'> <icmp/>
  </rule> <!-- enable outgoing DNS lookups using UDP -->
  <rule action='accept' direction='out'> <udp dstportstart='53'/>
  </rule> <!-- drop all other traffic -->
  <rule action='drop' direction='inout'> <all/>
  </rule>

</filter>

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
  
16
  
17
  
18
  
19
  
20
  
21
  
22
  
23
  
24
  
25
  
26
  
27
  
28
  
29
  
30
  
31
  
32
  
33
  
34
  
35
  
36
  
37
  
38
  
39
  
40
  
41
  
42
  
43
  
44
  
45
  
46
  
47
  
48
  
49
 

2.3.5 作者样例

<filter name='rule' chain='root'>
  <uuid>4e82be8f-5d76-45a1-8446-xxxxxxxxxxx</uuid>
  <rule action='drop' direction='in' priority='200'/> <rule action='accept' direction='in' priority='100'>  <!=获取入口出口> <tcp dstmacaddr='52:54:00:4b:aa:1f'/> <!= 获取本机MAC> <tcp dstportstart='24' dstportend='65536'/> <!= 获取端口范围> <tcp srcipaddr='172.22.222.222'/> <!=获取目标IP> <tcp srcipmask='0'/> <!= 获取掩码>
  </rule>
  <rule action='accept' direction='out' priority='100'> <tcp srcmacaddr='52:54:00:4b:aa:1f'/> <tcp srcportstart='1' srcportend='65535'> <tcp dstipaddr='172.22.222.222'/> <tcp dstipmask='0'/>
  </rule>
  <rule action='accept' direction='inout' priority='100'> <tcp srcmacaddr='52:54:00:4b:aa:1f'/> <tcp srcportstart='1' srcportend='65535'> <tcp dstipaddr='172.22.222.222'/> <tcp dstipmask='0'/>
  </rule>
</filter>

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
  
16
  
17
  
18
  
19
  
20
  
21
  
22
 

针对于TCP协议设置，其他协议类似。注意注释需要去掉

2.3.6其他信息

libvirt-nwfilter 默认In为黑名单out为白名单。

默认的xml路径在

/etc/libvirt/nwfilter
#ls
allow-arp.xml clean-traffic.xml no-ip-multicast.xml no-other-rarp-traffic.xml
allow-dhcp-server.xml clean-traffic.xml_bak no-ip-spoofing.xml qemu-announce-self-rarp.xml
allow-dhcp.xml no-arp-ip-spoofing.xml   no-mac-broadcast.xml qemu-announce-self.xml
allow-incoming-ipv4.xml  no-arp-mac-spoofing.xml  no-mac-spoofing.xml allow-ipv4.xml no-arp-spoofing.xml no-other-l2-traffic.xml  

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
 

Network Filter API介绍

官网路径：https://libvirt.org/html/libvirt-libvirt-nwfilter.html#virNWFilterBindingCreateXML

官网一般为最新版本API接口，你需要看自己的支持什么接口，就需要在 '/usr/include/libvirt’查看

libvirt-admin.h libvirt-event.h libvirt-lxc.h libvirt-qemu.h virterror.h
libvirt-common.h libvirt.h libvirt-network.h   libvirt-secret.h
libvirt-domain.h libvirt-host.h libvirt-nodedev.h   libvirt-storage.h
libvirt-domain-snapshot.h  libvirt-interface.h  libvirt-nwfilter.h  libvirt-stream.h

  

 

  
1
  
2
  
3
  
4
 

主要在 libvirt-nwfilter.h头文件。默认开发的时候，只要调用libvirt.h就可以。

libvirt.h内容如下：

#ifndef __VIR_VIRLIB_H__
# define __VIR_VIRLIB_H__

# include <sys/types.h>

# ifdef __cplusplus
extern "C" {
# endif

# define __VIR_LIBVIRT_H_INCLUDES__
# include <libvirt/libvirt-common.h>
# include <libvirt/libvirt-host.h>
# include <libvirt/libvirt-domain.h>
# include <libvirt/libvirt-domain-snapshot.h>
# include <libvirt/libvirt-event.h>
# include <libvirt/libvirt-interface.h>
# include <libvirt/libvirt-network.h>
# include <libvirt/libvirt-nodedev.h>
# include <libvirt/libvirt-nwfilter.h>
# include <libvirt/libvirt-secret.h>
# include <libvirt/libvirt-storage.h>
# include <libvirt/libvirt-stream.h>
# undef __VIR_LIBVIRT_H_INCLUDES__

# ifdef __cplusplus
}
# endif

#endif /* __VIR_VIRLIB_H__ */

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
  
16
  
17
  
18
  
19
  
20
  
21
  
22
  
23
  
24
  
25
  
26
  
27
  
28
  
29
 

libvirt-nwfilter.h 主要接口如下

#ifndef __VIR_LIBVIRT_NWFILTER_H__
# define __VIR_LIBVIRT_NWFILTER_H__

# ifndef __VIR_LIBVIRT_H_INCLUDES__
#  error "Don't include this file directly, only use libvirt/libvirt.h"
# endif

/**
 * virNWFilter:
 *
 * a virNWFilter is a private structure representing a network filter
 */
typedef struct _virNWFilter virNWFilter;

/**
 * virNWFilterPtr:
 *
 * a virNWFilterPtr is pointer to a virNWFilter private structure,
 * this is the type used to reference a network filter in the API.
 */
typedef virNWFilter *virNWFilterPtr;  
/*
 * List NWFilters
 */
int virConnectNumOfNWFilters (virConnectPtr conn);
int virConnectListNWFilters  (virConnectPtr conn, char **const names, int maxnames);
int virConnectListAllNWFilters(virConnectPtr conn, virNWFilterPtr **filters, unsigned int flags);
/*
 * Lookup nwfilter by name or uuid
 */
virNWFilterPtr virNWFilterLookupByName (virConnectPtr conn, const char *name);
virNWFilterPtr virNWFilterLookupByUUID (virConnectPtr conn, const unsigned char *uuid);
virNWFilterPtr virNWFilterLookupByUUIDString (virConnectPtr conn,
/*
 * Define persistent nwfilter
 */
virNWFilterPtr virNWFilterDefineXML (virConnectPtr conn, const char *xmlDesc);

/*
 * Delete persistent nwfilter
 */
int virNWFilterUndefine (virNWFilterPtr nwfilter);

/*
 * NWFilter destroy/free
 */
int virNWFilterRef (virNWFilterPtr nwfilter);
int virNWFilterFree (virNWFilterPtr nwfilter);

/*
 * NWFilter information
 */
const char* virNWFilterGetName (virNWFilterPtr nwfilter);
int virNWFilterGetUUID (virNWFilterPtr nwfilter, unsigned char *uuid);
int virNWFilterGetUUIDString (virNWFilterPtr nwfilter, char *buf);
char * virNWFilterGetXMLDesc (virNWFilterPtr nwfilter, unsigned int flags);

#endif /* __VIR_LIBVIRT_NWFILTER_H__ */

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
  
16
  
17
  
18
  
19
  
20
  
21
  
22
  
23
  
24
  
25
  
26
  
27
  
28
  
29
  
30
  
31
  
32
  
33
  
34
  
35
  
36
  
37
  
38
  
39
  
40
  
41
  
42
  
43
  
44
  
45
  
46
  
47
  
48
  
49
  
50
  
51
  
52
  
53
  
54
  
55
  
56
  
57
  
58
  
59
  
60
  
61
  
62
  
63
  
64
  
65
  
66
  
67
  
68
 

类似于命令行。在实际开发中，libvirt ，nwfilter接口定义主要使用：

virNWFilterPtr virNWFilterDefineXML (virConnectPtr conn,const char *xmlDesc);

  

 

  
1
 

类似于nwfilter-define 命令。用来定义网络过滤器规则。

demo如下：

static std::string in_rule(std::string mac, std::string protocol, std::string startPort, std::string endPort, std::string ip, std::string ipmask)
{ std::string in_rule = std::string( \ "<rule action='accept' direction='in' priority='100'>\n" + \ std::string("<")+ protocol + " dstmacaddr='" + mac +"'/>\n"+ \ "<"+ protocol + " dstportstart='" + startPort+"' dstportend='" + endPort +"'/>\n" + \ "<"+ protocol + " srcipaddr='"+ ip +"'/>\n" + \ "<"+ protocol + " srcipmask='"+ ipmask +"'/>\n" +\ "</rule>\n"); return in_rule;
}
static std::string intout_rule(std::string mac, std::string protocol, std::string startPort, std::string endPort, std::string ip, std::string ipmask)
{ std::string out_rule = std::string( "<rule action='accept' direction='inout' priority='100'>\n" + \ std::string("<")+ protocol + " srcmacaddr='" + mac +"'/>"+ \ "<"+ protocol + " srcportstart='" + startPort +"' srcportend='" + endPort +"'/>\n" + \ "<"+ protocol + " dstipaddr='"+ ip +"'/>\n" + \ "<"+ protocol + " dstipmask='"+ ipmask +"'/>\n" +\ "</rule>\n"); return out_rule;
}

static std::string rule_xml(std::string uuid, std::list<std::string> list)
{ std::string xmlHeader("<filter name='safe-rule' chain='root'>\n <uuid>" + uuid +"</uuid>\n"); std::string xmlDeault("<rule action='drop' direction='in' priority='200'/>\n"); std::string xmlRule = ""; for(auto it : list) { xmlRule += it; } std::string xmlTail("</filter>\n"); return xmlHeader + xmlDeault + xmlRule + xmlTail;
}

  

 

  
1
  
2
  
3
  
4
  
5
  
6
  
7
  
8
  
9
  
10
  
11
  
12
  
13
  
14
  
15
  
16
  
17
  
18
  
19
  
20
  
21
  
22
  
23
  
24
  
25
  
26
  
27
  
28
  
29
  
30
  
31
  
32
  
33
  
34
  
35
  
36
 

函数调用如下：

const char * nwxml = nwfilter_str::rule_xml(std::string("4e82be8f-5d76-45a1-8446-66a527f39115"),ruleList).c_str();
virNWFilterDefineXML(conn, nwxml);

  

 

  
1
  
2
 

其他的前置条件不进行说明。在之前libvirt-API获取guest-ip有详细说明。

在当前版本官网还有如下函数

virNWFilterBindingPtr	virNWFilterBindingCreateXML	(virConnectPtr conn, const char * xml, unsigned int flags)

  

 

  
1
 

说明如下：

Define a new network filter, based on an XML description similar to the one returned by virNWFilterGetXMLDesc(). This API may be used to associate a filter with a currently running guest that does not have a filter defined for a specific network port. Since the bindings are generally automatically managed by the hypervisor, using this command to define a filter for a network port and then starting the guest afterwards may prevent the guest from starting if it attempts to use the network port and finds a filter already defined.

  

 

  
1
 

能够直接绑定在运行的虚拟机，因为没有实际验证，根据官网说明，应该是能够直接与当前运行虚拟机绑定。不同于

virNWFilterPtr	virNWFilterDefineXML	(virConnectPtr conn, const char * xmlDesc)

  

 

  
1
 

说明如下：

Define a new network filter, based on an XML description similar to the one returned by virNWFilterGetXMLDesc()
virNWFilterFree should be used to free the resources after the nwfilter object is no longer needed.

  

 

  
1
  
2
 

上述函数virNWFilterDefineXML生效，前置条件是在虚拟机xml进行过相应的规则配置，才能够即时生效。而，virNWFilterBindingCreateXML

描述是绑定，应该是不需要进行前置条件，能够直接对当前运行虚拟机生效。但是是否能够绑定在指定虚拟机，还是待定，因为对外接口并未开放，在查资料的时候，有找到相关介绍，介绍如下：

链接：https://www.redhat.com/archives/libvir-list/2018-August/msg01407.html

函数介绍如下：

 int virDomainConfNWFilterInstantiate(const char *vmname, const unsigned char *vmuuid, virDomainNetDefPtr net, bool ignoreExists, bool ignoreDeleted);


  

 

  
1
  
2
  
3
  
4
  
5
  
6
 

但是目前來看，函数接口并未对外暴露，留待以后进行相关设置了。

文章来源: blog.csdn.net，作者：何其不顾四月天，版权归原作者所有，如需转载，请联系作者。

原文链接：blog.csdn.net/u011218356/article/details/108340165