[libvirt-users] How to handle IP-based Networkfilters

Sven Schwedas sven.schwedas at tao.at
Fri Jul 19 07:42:59 UTC 2013 

Hello,

You might want to read up on this:
https://www.redhat.com/archives/libvirt-users/2013-July/msg00087.html

On 19.07.2013 09:29, Matthias Babisch wrote:
> Hello People.
> 
> We are currently exploring the possibility to use libvirt and kvm/quemu
> for production purposes. The general stability seems good enough and the
> performance is great. There are some issues we do not understand here
> yet. For security reasons we are considering the extensive use of
> Networkfilters for virtual machines. But we found some simple scheme for
> a test-server not to be working as we expected. It might well be that we
> misunderstand something here, so I am hoping someone could point out to
> us, where either we or perhaps libvirt failed in this example.
> 
> We are using an ubuntu 13.04 Server running the provided
> "1.0.2-0ubuntu11.13.04.2" libvirt-bin using amd64-architecture.
> 
> The type of VM should not be relevant for this problem. Its a
> linux-based xmpp-Server which uses ucarp.
> I reduced the used filter-file just so i could prove my point. It contains:
> <filter name='linux-based-xmpp-server' chain='root'>
>   <uuid>fb539996-eed5-11e2-8bd3-00e081e0f040</uuid>
>   <rule action='accept' direction='in' priority='999'>
>     <tcp state='NEW' dstportstart='5222'/>
>   </rule>
>   <rule action='accept' direction='in' priority='999'>
>     <tcp state='NEW' dstportstart='5269'/>
>   </rule>
>   <rule action='accept' direction='inout' priority='999'>
>     <ip dstipaddr='224.0.0.18' proto='112'/>
>   </rule>
>   <rule action='reject' direction='inout' priority='999'>
>     <all/>
>   </rule>
> </filter>
> 
> Practically it should allow TCP-traffic on Ports 5222,5269 incoming and
> incoming and outgoing traffic for ip protocol 112 to destination ip
> 224.0.0.18 (VRRP used by ucarp). All other traffic should be rejected.
> There is only one VM on the system and the VM has this ruleset attached.
> 
> Note: It is clear to me that this example won't work as  areal world
> example, because packets of the state ESTABLISHED,RELATED are not
> allowed through the firewall. I removed these rules because they where
> in a filter-file i referenced.
> 
> After reloading the libvirt-bin i do get part of the rules in would
> expect in iptables:
> 
> Chain FI-vnet0 (1 references)
> target     prot opt source               destination
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0 reject-with
> icmp-port-unreachable
> 
> Chain FO-vnet0 (1 references)
> target     prot opt source               destination
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp
> dpt:5222 state NEW
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp
> dpt:5269 state NEW
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0 reject-with
> icmp-port-unreachable
> 
> Chain HI-vnet0 (1 references)
> target     prot opt source               destination
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0 reject-with
> icmp-port-unreachable
> 
> What is missing is any reference to the rule for ucarp (protocol 112).
> 
> Please note though that removing the protocol and just allowing any ip
> traffic to 224.0.0.18 as a rule, does not appear in the iptables either.
> 
> Am i misunderstanding anything here? Is there a bug in libvirt? How do
> you interpret this?
> Do you know of any other way to achieve the simple ruleset intended?
> 
> I am hoping to get more information from this list. If you are replying,
> please cc me (matthias.babisch at bmiag.de), because i receive this list as
> a digest.
> 
> Sincerely
> 
> Matthias Babisch
> IT/Organisation
> 
> *b+m Informatik AG*
> Rotenhofer Weg 20
> 24109 Melsdorf
> 
> T +49 4340/404-1444
> F +49 4340/404-111
> M +49 160/8866426
> matthias.babisch at bmiag.de
> 
> Aktuelle Informationen unter www.bmiag.de <%5C%22http://www.bmiag.de%5C%22>
> Die b+m Informatik AG ist ein Unternehmen der Allgeier Gruppe
> <%5C%22http://www.allgeier-holding.de%5C%22>
> 
> Vorsitzender des Aufsichtsrates: Dr. Marcus Goedsche
> Vorstand: Dipl-Ing. Frank Mielke
> Amtsgericht Kiel, HRB 5526
> 
> 
> 
> 
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven SCHWEDAS
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130719/b516d074/attachment.sig>

More information about the libvirt-users mailing list