[libvirt-users] Networkfilters in Routed setup

h0rst h0rst at localh0rst.de
Fri Feb 14 18:40:34 UTC 2014


Hello!

Since i could not find any information on the internet about this subject, i'm going to try my luck on this list.

I'm trying to setup network-filter on a routed setup. I have a root-server at Hetzner, a german hosting provider.
Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my virtual machines (KVM).
My Server is running Ubuntu 12.04 with libvirt 0.9.8 . Since Hetzner does not allow any bridged traffic, i had
to setup a routed network. Currently my (via libvirt) defined network looks like this:
(lets assume my subnet is 1.2.3.64/28):

<network>
  <name>hetzner-subnet-v4</name>
  <forward dev='eth0' mode='route'>
    <interface dev='eth0'/>
  </forward>
  <bridge name='route-br0' stp='off' delay='0' />
  <mac address='52:54:00:F0:D0:AA'/>
  <ip address='1.2.3.65' netmask='255.255.255.240'></ip>
</network>

The network definition for all running VMs looks like this:

<interface type='network'>
  <mac address='52:54:00:00:00:##'/>
  <source network='hetzner-subnet-v4'/>
</interface>

Without using Network-Filters, this setup is running as expected. All traffic is correctly forwarded to my virtual
machines connected to "route-br0" and the following iptables-rules are created in the FORWARD Chain:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
target     prot opt in     out     source               destination
ACCEPT     all  --  eth0   route-br0  0.0.0.0/0            1.2.3.64/28
ACCEPT     all  --  route-br0 eth0    1.2.3.64/28        0.0.0.0/0
ACCEPT     all  --  route-br0 route-br0  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  *      route-br0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  route-br0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

When i try to setup a network-filter for a VM (a modified version of http://libvirt.org/formatnwfilter.html last example):

<filter name='server-x' chain='root'>
  <filterref filter='clean-traffic'/>
  <rule action='accept' direction='in' priority='500'>
    <all state='ESTABLISHED'/>
  </rule>
  <rule action='accept' direction='out' priority='500'>
    <all state='ESTABLISHED,RELATED'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <tcp state='NEW' dstportstart='22'/>
  </rule>
  <rule action='accept' direction='out' priority='500'>
    <all state='NEW'/>
  </rule>
  <rule action='drop' direction='inout' priority='500'>
    <all/>
  </rule>
</filter>

and adding the filter to my interface-definition of a VM using the following syntax:

<filterref filter='server-x'>
  <parameter name='IP' value='1.2.3.70'/>
</filterref>

additional iptable-rules are getting created. The problematic rule seems to be the following:

-A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX

which should trigger the following rules:

-A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT
-A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT

But this actually never happens. The FO-vnetX Chain never sees any packets and my syslog says:

xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore

Am i doing something wrong? I hope i did not write too much useless stuff here. I'm tried to figure it all out by
myself, but im currently stuck. Lets hope some wise guys can help me out here. Maybe there is some documentation i have missed?

Thanks!

kind regards,

Sebastian




More information about the libvirt-users mailing list