[libvirt-users] NWFilter and IPv6

Tue Dec 4 15:22:17 UTC 2012

Am Montag, 26. November 2012, 10:41:47 schrieb Laine Stump:
> On 11/07/2012 03:22 AM, Guido Winkelmann wrote:
> > Hi,
> > 
> > Libvirt's nwfilter ships a number of useful filter scripts by default, but
> > none to handle IPv6 traffic. Is there a particular reason for that, or is
> > that just because nobody has got around to that yet?
> 
> Hi Guido! I just saw this message you sent to the list a couple weeks ago.
> 
> Stefan Berger can confirm, but I believe the answer is the latter -
> nobody has gotten around to it. I'm sure patches would be greatly
> appreciated :-)

Well, I have defined a few filters for my own use, mostly by copying the 
clean-traffic filter and making a few additions. They don't fully work yet, 
especially the part about filtering router advertisements. For some reason, 
nwfilter does not seem to actually do anything with the icmpv6 filter rules, 
at least ebtables -t nat -L does not show anything...

The filters are optimized for hosts with statically configured addresses. I 
haven't tested this with DHCP at all.

They look like this:

<filter name='clean-traffic-with-v6' chain='root'>
  <filterref filter='no-mac-spoofing'/>
  <filterref filter='no-ip-spoofing'/>
  <filterref filter='no-dhcp-server'/>
  <rule action='accept' direction='out' priority='-650'>
    <mac protocolid='ipv4'/>
  </rule>
  <filterref filter='allow-incoming-ipv4'/>
  <filterref filter='no-ipv6-spoofing'/>
  <filterref filter='no-ipv6-router-advertisement'/>
  <filterref filter='no-dhcpv6-server'/>
  <rule action='accept' direction='out' priority='-600'>
    <mac protocolid='ipv6'/>
  </rule>
  <filterref filter='allow-incoming-ipv6'/>
  <filterref filter='no-arp-spoofing'/>
  <rule action='accept' direction='inout' priority='-500'>
    <mac protocolid='arp'/>
  </rule>
  <filterref filter='no-other-l2-traffic'/>
  <filterref filter='qemu-announce-self'/>
</filter>

<filter name='no-dhcp-server' chain='ipv4' priority='-701'>
  <rule action='drop' direction='out' priority='100'>
    <ip protocol='udp' dstportstart='68'/>
  </rule>
</filter>

<filter name='no-ipv6-spoofing' chain='ipv6' priority='-700'>
  <rule action='return' direction='out' priority='500'>
    <ipv6 srcipaddr='$IPV6'/>
  </rule>
  <rule action='drop' direction='out' priority='1000'/>
</filter>

<filter name='no-ipv6-router-advertisement' chain='root' priority='-690'>
  <rule action='drop' direction='out' priority='600'>
    <icmpv6 type='134'/>
  </rule>
  <rule action='drop' direction='out' priority='600'>
    <icmpv6 type='153'/>
  </rule>
</filter>

<filter name='no-dhcpv6-server' chain='ipv6' priority='-680'>
  <rule action='drop' direction='out' priority='100'>
    <ipv6 protocol='udp' dstportstart='546'/>
  </rule>
</filter>

<filter name='allow-incoming-ipv6' chain='ipv6' priority='-680'>
  <rule action='accept' direction='in' priority='500'/>
</filter>

> > One interesting thing about dealing with IPv6 traffic is that hosts often
> > have several auto-configured addresses, usually at least one
> > auto-configured link- local address under fe80::/64 and one
> > auto-configured one from router- advertisements. For writing filter
> > rules, it would be nice to have some function/notation to calculate those
> > auto-configured addresses for the user, so we can write something like
> > this:
> > 
> > <rule action='return' direction='out' priority='500'>
> > 
> >   <ipv6 srcipaddr='ipv6_autoconf($IPV6_PREFIX[@1], $IPV6_MASK[@1],
> >   $MAC)'/>
> > 
> > </rule>
> > <rule action='return' direction='out' priority='500'>
> > 
> >   <ipv6 srcipaddr='$IPV6'/>
> > 
> > </rule>
> > <rule action='drop' direction='out' priority='1000'/>
> > 
> > or maybe more like this:
> > 
> > <ipv6 mode='autoconf' field='srcipaddr' prefix='$IPV6_PREFIX[@1]'
> > netmask='$IPV6_MASK[@1]' mac='$MAC)'/>
> 
> There is similar functionality for IPv4, and it would be nice to have
> IPv6 variables that parallel those for IPv4. Again - patches welcome!

I don't quite understand, what similar functionality are you talking about? 
IPv4 does not have stateless autoconfiguration...

	Guido