[virt-tools-list] Recommendation for improvement/feature request of virt-manager

[Cole Robinson]

On 10/06/2018 03:44 PM, scrap at mailbox.org wrote:
> Hello Cole,
> 
> thanks a lot for your kind reply! Let me try to answer your questions:
> 
> 
>> Do you have in mind a specific libvirt/qemu feature that you want 
>> exposed, or are you asking for this kind of on/off switch to 
>> implemented lower in the stack?
> 
> I am just asking for implementation of that kind of on/off switch, 
> because it would be lots easier to quickly disable internet access for 
> specific VMs with any possibility like that.
> 
> 
>> You can avoid public internet access by choosing an appropriate 
>> network source: NAT guests are not accessible from the outside world.
> 
> Currently I have selected "NAT" with device model "virtio", but the VM 
> has still access to public internet. Maybe I misunderstood something?
> 
> 
>> What kind of network source are you using?
> 
> The host is connected to network via cable, the virtual machine NIC is 
> configured as NAT with device model "virtio" (what is creating a 
> interface called "vnet0" on the host). This VM has full public internet 
> access, but I want to restrict its access to the host only (to create a 
> file exchange between host and guest, but without internet access).

Okay, in this case what you want to use is an 'isolated' virtual 
network. Stuff this XML in a file:

<network>
   <name>isolated</name>
   <forward mode='none'/>
   <ip address='192.168.130.1' netmask='255.255.255.0'>
     <dhcp>
       <range start='192.168.130.2' end='192.168.130.254'/>
     </dhcp>
   </ip>
</network>


Then from the command line do:

sudo virsh net-define $filename
sudo virsh net-autostart isolated
sudo virsh net-start isolated

Then in virt-manager change the VM network source to use this new 
'isolated' network. vm and host can communicate but the vm can't 
communicate with the outside world

- Cole