I'm trying to limit a VM's access to my network only to necessary devices using network filters:
https://libvirt.org/formatnwfilter.html
I have successfully done this with a single ip address using the following format
Code:
<filter name='local-fileserver-only' chain='ipv4' priority='-700'>
<uuid>fce8ae33-e69e-83bf-262e-30786c1f8072</uuid>
<rule action='drop' direction='out' priority='500'>
<ip match='no' dstipaddr='192.168.1.45'/>
</rule>
</filter>
But this concept doesn't work with two ip addresses since it based on rejecting everything other than the match. There doesn't seem to be a way to do that with two addresses? So I've tried to use filters that accept and ip and then drop everything else, but I end up unable to access any traffic. The following example uses one ip but doesn't accept traffic to it. I'm not sure what I'm missing and the docs don't seem to have any close examples.
Code:
<filter name='test-filter' chain='ipv4'>
<uuid>fce8ae33-e69e-83bf-262e-30786c1f8079</uuid>
<rule action='accept' direction='inout'>
<ip match='yes' dstipaddr='192.168.1.202'/>
</rule>
<!-- drop all other traffic -->
<rule action='drop' direction='inout'>
<all/>
</rule>
</filter>