[libvirt] problem with nwfilter and ip6tables

Stefan Berger stefanb at linux.vnet.ibm.com
Mon Nov 21 16:07:40 UTC 2011


On 11/21/2011 08:46 AM, Reinier Schoof wrote:

Going back to the original email:

> Hi,
>
> I'm investigating using the nwfilter-functionality of libvirt to give 
> my clients the possibility to block ports of their VPSes. The same 
> mechanism allows me to restrict the outgoing traffic a VPS is 
> generating. In the end, I want to restrict MAC, IPv4 and IPv6 traffic, 
> while the client can also restrict traffic to UDP and TCP.
>
> All goes well, until I want to restrict the UDP/TCP traffic to certain 
> IPv6 addresses. Where iptables shows the IPv4-restriction I've put up, 
> ip6tables doesn't show anything. In the logs, I only see some 
> ip6tables -D, -X and -F commands failing, which is expected when 
> libvirt tries to delete/flush rules that were never there.
>
> I've built my nwfilter containing the following IPv6-rules, which I 
> for instance reference once for all the TCP-ports which should be open.
>
> <!-- Allow established traffic -->
> <filter name='ipv6-allow-statefull' chain='ipv6'>
> <rule action='accept' direction='in' priority='500'>
> <all state='ESTABLISHED'/>
> </rule>
> <rule action='accept' direction='out' priority='500'>
> <all state='ESTABLISHED,RELATED'/>
> </rule>
> </filter>
>
Replace with

<filter name='ipv6-allow-statefull' chain='root'>
<uuid>d7ca42fe-a2f5-6491-cdee-10d8a0956772</uuid>
<rule action='accept' direction='in' priority='100'>
<all-ipv6 state='ESTABLISHED'/>
</rule>
<rule action='accept' direction='out' priority='100'>
<all-ipv6 state='ESTABLISHED,RELATED'/>
</rule>
</filter>

> <!-- Allow TCP in $PORT -->
> <filter name='ipv6-allow-create-state-by-port' chain='ipv6'>
> <rule action='accept' direction='in' priority='500'>
> <tcp state='NEW' dstportstart='$PORT'/>
> </rule>
> <rule action='accept' direction='in' priority='500'>
> <udp state='NEW' dstportstart='$PORT'/>
> </rule>
> </filter>
>
Replace with

<filter name='ipv6-allow-create-state-by-port' chain='root'>
<uuid>ff97e825-712d-6b1a-c5d1-46fe635f9dd6</uuid>
<rule action='accept' direction='in' priority='500'>
<tcp-ipv6 state='NEW' dstportstart='$PORT'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<udp-ipv6 state='NEW' dstportstart='$PORT'/>
</rule>
</filter>

> <!-- Allow IPv6 traffic from $RANGE -->
> <filter name='ipv6-allow-create-state-by-range' chain='ipv6'>
> <rule action='accept' direction='out' priority='500'>
> <ipv6 srcipaddr='$RANGE' srcipmask='64'/>
> </rule>
> </filter>
>
This probably should either be direction='in' or you may want to replace 
srcipaddr and srcipmask with dstipaddr and dstipmask.

Replace with

<filter name='ipv6-allow-create-state-by-range' chain='root'>
<uuid>6e738070-9505-730d-14e6-ee01a6eb5885</uuid>
<rule action='accept' direction='in' priority='500'>
<all-ipv6 srcipaddr='$RANGE' srcipmask='62'/>
</rule>
</filter>

You may want to add state='NEW' to the rule as well.

> <!-- Drop all other IPv6 traffic -->
> <filter name='ipv6-drop-stateless' chain='ipv6'>
> <rule action='drop' direction='inout' priority='999'>
> <all/>
> </rule>
> </filter>
>
Replace with

<filter name='ipv6-drop-stateless' chain='root'>
<uuid>4377aca7-18fb-b373-4462-4ee2ba3db7cd</uuid>
<rule action='drop' direction='inout' priority='999'>
<all-ipv6/>
</rule>
</filter>


You have to change the chain to 'root' and the protocol in the rules has 
to be tcp-ipv6, all-ipv6 etc. for ipv6 traffic. The reason is that most 
of these rules could be applied to either iptables or ip6tables  and the 
network filtering system needs some more 'hints' whether it is indeed an 
ipv6 rule so it create ip6tables commands versus iptables commands.

I hope this helps.

'ip6tables -L -n' here now shows:

Chain FI-vnet0 (1 references)
target     prot opt source               destination
RETURN     all      ::/0                 ::/0                state 
RELATED,ESTABLISHED
RETURN     all      ::/0                 ::/64               state 
ESTABLISHED ctdir ORIGINAL
DROP       all      ::/0                 ::/0

Chain FO-vnet0 (1 references)
target     prot opt source               destination
ACCEPT     all      ::/0                 ::/0                state 
ESTABLISHED
ACCEPT     tcp      ::/0                 ::/0                tcp dpt:90 
state NEW
ACCEPT     udp      ::/0                 ::/0                udp dpt:90 
state NEW
ACCEPT     all      ::/64                ::/0                state 
NEW,ESTABLISHED ctdir REPLY
DROP       all      ::/0                 ::/0

Chain HI-vnet0 (1 references)
target     prot opt source               destination
RETURN     all      ::/0                 ::/0                state 
RELATED,ESTABLISHED
RETURN     all      ::/0                 ::/64               state 
ESTABLISHED ctdir ORIGINAL
DROP       all      ::/0                 ::/0



    Stefan

> I use a similar approach for my IPv4 firewall, and it works perfectly. 
> When I use these IPv6 rules, all IPv6 traffic is apparently dropped, 
> but it's hard to debug when the result of this config is abscent in 
> ip6tables.
>
> I'm using these version of software on debian 6.0 squeeze:
> virsh # version
> Compiled against library: libvir 0.9.2
> Using library: libvir 0.9.2
> Using API: QEMU 0.9.2
> Running hypervisor: QEMU 0.15.0
>
> Does anyone have any clues? Thanks in advance!
>
> Regards,
>
> Reinier Schoof
>




More information about the libvir-list mailing list