[libvirt-users] altering virtual network driver iptables behavior

Ryan Sumner rsumner at us.ibm.com
Fri Feb 18 05:49:10 UTC 2011


I have the need to modify the behavior of the virtual network driver's 
behavior and how it deals with routed networks.  I'm running 
libvirt-0.8.3-2.fc14.

According to http://libvirt.org/firewall.html, the following is 
automatically added to the FORWARD chain of iptables when a network type 
of "routed" is started up:

"Allow inbound, but only to our expected subnet. Allow outbound, but only 
from our expected subnet. Allow traffic between guests. Deny all other 
inbound. Deny all other outbound. "

The part of this that I need to adjust is the fact that only IPs on my 
subnet will be allowed in and out.  I have IP addresses assigned to my 
guests that have static routes configured on the hypervisor to route to 
the local bridged interface.  I have to do this due to the way the 
surrounding routers and switches on the network are configured to handle 
public IP addresses and MAC address filtering.   Here is an example of my 
config where the public IP address on the guest machine is 1.1.2.2:

My network to do the routing mode:
<network>
  <name>local</name>
  <forward dev='eth0' mode='route'/>
  <bridge name='virbr_local' stp='on' delay='0' />
  <ip address='192.168.122.1' netmask='255.255.255.0'/>
</network>

The network portion of the domain:
    <interface type='network'>
      <mac address='xx:xx:xx:cc:xx:xx'/>
      <source network='local'/>
      <target dev='vnet0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' 
function='0x0'/>
    </interface>

And finally the static route configured on the hypervisor to get the 
routed traffic from eth0 on the hypervisor down to the virbr_local device:
# ip route add 1.1.2.2 dev virbr_local

This will setup the iptables filters just as the documentation defines, 
but the problem is that all traffic from the guest will get REJECTED by 
iptables due to the source and destination IP not falling within 
192.168.122.0/24. 

I've tried adding a custom filter into the network filter driver, but 
haven't had much luck. Here are some of the things that I've tried.

The custom network filter.   Notice that I'm using tcp, udp, and icmp 
specifically.  I'm doing this so it will force inclusion into the iptables 
filtering rules rather than ebtables. 
<filter name='my-static-ip' chain='root'>
  <rule action='accept' direction='out' priority='500'>
    <tcp srcipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='out' priority='500'>
    <udp srcipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='out' priority='500'>
    <icmp srcipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <tcp dstipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <udp dstipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <icmp dstipaddr='$MYIP'/>
  </rule>
</filter>

And the modifications made to the domain's network interface definition:
    <interface type='network'>
      <mac address='xx:xx:xx:xx'/>
      <source network='local'/>
      <target dev='vnet0'/>
      <filterref filter='my-static-ip'>
        <parameter name='MYIP' value=1.1.2.2'/>
      </filterref>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' 
function='0x0'/>
    </interface>

With the exception of simply manually adding iptables rules in place after 
I start the network using virsh, does anyone know how to accomplish what 
I'm trying to do? 

Ryan Sumner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20110217/493e4241/attachment.htm>


More information about the libvirt-users mailing list