1

It's possible to pass multiple parameters to the "filterref" using "parameter" keyword. Like this:

<filterref filter='no-ip-spoofing'>
   <parameter name='IP' value='10.0.0.1'/>
   <parameter name='IP' value='10.0.0.2'/>
</filterref>

And use they in "no-ip-spoofing" inside "rule" statement:

<rule action='return' direction='out' priority='500'>
  <ip srcipaddr='$IP'/>
</rule>

Each IP (10.0.0.1, 10.0.0.2) inside "rule" statement will be processed independently.

Q: But is it possible to pass parameters as a complex structure?
For example I want to send to "no-ip-spoofing" not only the IP but also the MASK. Something like that (of course the next list is incorrect xml structure):

<filterref filter='no-ip-spoofing'>
   <parameter name='IP' value='10.0.0.1', name='MASK' value='255.255.255.0'/>
   <parameter name='IP' value='10.0.0.2', name='MASK' value='255.255.255.0'/>
</filterref>

And process they like that:

<rule action='return' direction='out' priority='500'>
  <ip srcipaddr='$IP' srcipmask='$MASK'/>
</rule>

How can I do that?

Improve this question

1 Answer 1

Reset to default
1

Don't take it as RTFM, yet documentation has just the thing for such uses (https://libvirt.org/formatnwfilter.html#usage-of-variables-in-filters). Using two arrays of parameters and a single iterator should suffice, and I quote:

Accessing the same variables using a single iterator, for example by
using the notation $SRCIPADDRESSES[@1] and $DSTPORTS[@1], would result
in parallel access to both lists and result in the following combinations:

Yet I can't tell how to provide such parameters as I am still hitting my head over passing parameters to filters. Comments on that topic would be appreciated.

Side note: In the same chapter it is shown one can get a matrix of parameters with a separate iterator for each.

Edit: One needs to provide the array of arguments as streams as shown at the questions top. For two arrays, just provide two seperate streams:

<filterref filter='no-ip-spoofing'>
   <!-- Array of IP values -->
   <parameter name='IP' value='10.0.0.1'/>
   <parameter name='IP' value='10.0.0.2'/>
   <!-- Array of MASK values -->
   <parameter name='MASK' value='255.255.255.0'/>
   <parameter name='MASK' value='255.255.255.0'/>
</filterref>

Now, must change the rule as such to iterate in parallel (single loop):

<rule action='return' direction='out' priority='500'>
  <ip srcipaddr='$IP[@1]' srcipmask='$MASK[@1]'/>
</rule>

[Self promotion] I have put up a somewhat related introductory tutorial regarding nwfilters: https://blog.cbugk.com/post/kvm-guest-network-isolation/

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.