[libvirt-users] Networkfilters in Routed setup

Laine Stump laine at laine.org
Tue Feb 18 10:03:05 UTC 2014 

On 02/14/2014 08:40 PM, h0rst wrote:
> Hello!
>
> Since i could not find any information on the internet about this subject, i'm going to try my luck on this list.
>
> I'm trying to setup network-filter on a routed setup. I have a root-server at Hetzner, a german hosting provider.
> Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my virtual machines (KVM).
> My Server is running Ubuntu 12.04 with libvirt 0.9.8 . Since Hetzner does not allow any bridged traffic, 

You *really* should upgrade to a newer libvirt.


> Without using Network-Filters, this setup is running as expected. All traffic is correctly forwarded to my virtual
> machines connected to "route-br0" and the following iptables-rules are created in the FORWARD Chain:
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> target     prot opt in     out     source               destination
> ACCEPT     all  --  eth0   route-br0  0.0.0.0/0            1.2.3.64/28
> ACCEPT     all  --  route-br0 eth0    1.2.3.64/28        0.0.0.0/0
> ACCEPT     all  --  route-br0 route-br0  0.0.0.0/0            0.0.0.0/0
> REJECT     all  --  *      route-br0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
> REJECT     all  --  route-br0 *       0.0.0.0/0            

Those previous two rules are the ones added when you specify a forward
dev. You don't need to do that - I would recommend removing the
"dev='eth0'" from the <forward> element of the network, along with the
"<interface dev='eth0'/>" subelement. This won't change operation at
all, it will just make things slightly less confusing and misleading.


> 0.0.0.0/0            reject-with icmp-port-unreachable
>
> When i try to setup a network-filter for a VM (a modified version of http://libvirt.org/formatnwfilter.html last example):
>
> <filter name='server-x' chain='root'>
>   <filterref filter='clean-traffic'/>
>   <rule action='accept' direction='in' priority='500'>
>     <all state='ESTABLISHED'/>
>   </rule>
>   <rule action='accept' direction='out' priority='500'>
>     <all state='ESTABLISHED,RELATED'/>
>   </rule>
>   <rule action='accept' direction='in' priority='500'>
>     <tcp state='NEW' dstportstart='22'/>
>   </rule>
>   <rule action='accept' direction='out' priority='500'>
>     <all state='NEW'/>
>   </rule>
>   <rule action='drop' direction='inout' priority='500'>
>     <all/>
>   </rule>
> </filter>
>
> and adding the filter to my interface-definition of a VM using the following syntax:
>
> <filterref filter='server-x'>
>   <parameter name='IP' value='1.2.3.70'/>
> </filterref>
>
> additional iptable-rules are getting created. The problematic rule seems to be the following:
>
> -A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX
>
> which should trigger the following rules:
>
> -A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT
> -A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
> But this actually never happens. The FO-vnetX Chain never sees any packets and my syslog says:
>
> xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore

That somehow sounded familiar, so I looked it up in the git history and
found this:

http://libvirt.org/git/?p=libvirt.git;a=commit;h=65fb9d49cc9caae210977934b53d87e56429407b

That patch was included in libvirt-1.0.2, just about a year ago.

>
> Am i doing something wrong? 

YOu need to upgrade your libvirt to at least 1.0.2 (preferably newer).

More information about the libvirt-users mailing list