[libvirt-users] Lack of ebtables rules when using nwfilters

Maciej Gałkiewicz maciejgalkiewicz at ragnarson.com
Tue Apr 23 13:25:35 UTC 2013 

Hi

I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt
is not creating ebtables rules against arp spoofing etc. Here are my
configs:

VM definition:
<domain type='xen'>
    <uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid>
    <name>instance-00000168</name>
    <memory>2097152</memory>
    <os>
            <type>linux</type>
            <root>/dev/xvda</root>

<kernel>/var/lib/nova/instances/instance-00000168/kernel</kernel>
                <cmdline>ro</cmdline>

<initrd>/var/lib/nova/instances/instance-00000168/ramdisk</initrd>
    </os>
    <features>
        <acpi/>
    </features>
    <vcpu>2</vcpu>
    <devices>
        <disk type='file' device='disk'>
            <driver type='raw' cache='none'/>
            <source file='/var/lib/nova/instances/instance-00000168/disk'/>
            <target dev='sda' bus='scsi'/>
        </disk>
            <disk type='file'>
                <driver type='raw' cache='none'/>
                <source
file='/var/lib/nova/instances/instance-00000168/disk.swap'/>
                <target dev='sdb' bus='scsi'/>
            </disk>

        <interface type='bridge'>
            <source bridge='br0'/>
            <mac address='fa:16:3e:1e:70:87'/>
            <filterref
filter="nova-instance-instance-00000168-fa163e1e7087">
                <parameter name="IP" value="10.255.0.114" />
                <parameter name="DHCPSERVER" value="10.255.0.3" />
            </filterref>
        </interface>


        <console type='pty'/>


        <graphics type='vnc' port='-1' autoport='yes' keymap='en-us'
listen='127.0.0.1'/>
    </devices>
</domain>

# virsh nwfilter-dumpxml nova-instance-instance-00000168-fa163e1e7087
<filter name='nova-instance-instance-00000168-fa163e1e7087' chain='root'>
  <uuid>b6475525-5901-aeab-4ed0-dc0d7b545aea</uuid>
  <filterref filter='nova-base'/>
</filter>

# virsh nwfilter-dumpxml nova-base
<filter name='nova-base' chain='root'>
  <uuid>197b7f7a-389c-bd6d-6b77-07b88d3d9138</uuid>
  <filterref filter='no-mac-spoofing'/>
  <filterref filter='no-ip-spoofing'/>
  <filterref filter='no-arp-spoofing'/>
</filter>

# ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
# ebtables  -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

logs:
2013-04-23 10:47:37.438+0000: 30155: debug : virNWFilterDefineXML:16099 :
conn=0x1331ff0, xmlDesc=<filter
name='nova-instance-instance-00000167-fa163e4faae5' chain='roo
t'><filterref filter='nova-base'/></filter>
2013-04-23 10:47:37.544+0000: 30155: debug : virNWFilterFree:15971 :
nwfilter=0x7f18400bc2b0
2013-04-23 10:47:37.544+0000: 30155: debug : virUnrefNWFilter:1262 : unref
nwfilter 0x7f18400bc2b0 nova-instance-instance-00000167-fa163e4faae5 1
2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1222 :
release nwfilter 0x7f18400bc2b0
nova-instance-instance-00000167-fa163e4faae5 875ff1e5-fc4d-2fca-9
da2-f163f273ad6a
2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1229 :
unref connection 0x1331ff0 2

regards
Maciej Gałkiewicz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130423/5a00b105/attachment.htm>

More information about the libvirt-users mailing list