libvirt网络过滤器

1.KVM虚拟机网络过滤器

根据过滤器可以实现KVM虚拟机对网络的访问进行有效的控制，从而达到网络隔离的效果，以下是四种具体的配置项

（1）开启外网和内网 （开启所有）
<filter name='gsdfs_952073_filter' chain='ipv4' priority='-700'>
  <uuid>1ca49adc-2058-0e6a-92c6-6ff44d9cc39d</uuid>
  <rule action='accept' direction='out' priority='100'/>
</filter>

（2）开启外网和禁用内网（关闭内网）
<filter name='gsdfs_952073_filter' chain='ipv4' priority='-700'>
  <uuid>1ca49adc-2058-0e6a-92c6-6ff44d9cc39d</uuid>
  <rule action='accept' direction='out' priority='100'>
    <ip protocol='udp' srcportstart='67' srcportend='68' dstportstart='67' dstportend='68'/>
  </rule>
  <rule action='accept' direction='in' priority='100'>
    <ip protocol='udp' srcportstart='67' srcportend='68' dstportstart='67' dstportend='68'/>
  </rule>
  <rule action='drop' direction='out' priority='200'>
    <ip match='yes' dstipaddr='192.168.1.254' dstipmask='24'/>
   </rule>
</filter>


 (3) 禁用外网和开启内网 (关闭外网）
<filter name='gsdfs_952073_filter' chain='ipv4' priority='-700'>
  <uuid>1ca49adc-2058-0e6a-92c6-6ff44d9cc39d</uuid>
  <rule action='accept' direction='out' priority='100'>
    <ip protocol='udp' srcportstart='67' srcportend='68' dstportstart='67' dstportend='68'/>
  </rule>
  <rule action='accept' direction='in' priority='100'>
    <ip protocol='udp' srcportstart='67' srcportend='68' dstportstart='67' dstportend='68'/>
  </rule>

  <rule action='drop' direction='out' priority='200'>
    <ip match='no' dstipaddr='192.168.1.254' dstipmask='24'/>
  </rule>
</filter>


（4）禁用外网和内网（关闭内外网）
<filter name='testWIN7_743760_filter' chain='ipv4' priority='-700'>
  <uuid>acce2a41-06ae-0764-6204-ceaec422ba7b</uuid>
  <rule action='accept' direction='out' priority='100'>
    <ip protocol='udp' srcportstart='67' srcportend='68' dstportstart='67' dstportend='68'/>
  </rule>
  <rule action='accept' direction='in' priority='100'>
    <ip protocol='udp' srcportstart='67' srcportend='68' dstportstart='67' dstportend='68'/>
  </rule>

  <rule action='drop' direction='out' priority='200'>
    <ip match='yes' dstipaddr='192.168.1.254' dstipmask='24'/>
  </rule>

  <rule action='drop' direction='out' priority='200'>
    <ip match='no' dstipaddr='192.168.1.254' dstipmask='24'/>
  </rule>
</filter>