[libvirt-users] Simple Networkfilter not working as expected.

Matthias Babisch matthias.babisch at bmiag.de
Thu Mar 6 09:39:23 UTC 2014 

Hello People.

I have produced a very simple networkfilter that is not work as I would
expect it. Perhaps one of you knows what I did wrong?

I made this little filter:
<filter name='my-test-no-ip-spoofing' priority='-700'>
  <rule action='drop' direction='out' priority='-999'>
    <all match='no' srcipaddr='$IP'/>
  </rule>
</filter>

I could attach it directly to a VM (and defined an IP-Adress in the
network-interface there). Then it produced iptables rules that look like
this:

Chain FI-vnetnn (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DROP       all  --  *      *      ! IP                   
0.0.0.0/0

(This is the rule governing the input via the virtual device into the
bridge, is as expected.)

Chain HI-vnetnn (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DROP       all  --  *      *      ! IP        0.0.0.0/0

(This is the rule governing the input to the host, i would expect this too.)

Chain FO-vnetnn (1 references)
 pkts bytes target     prot opt in     out     source              
destination
   0    0 DROP       all  --  *      *       0.0.0.0/0           ! IP

This is the rule governing the output via the virtual-device from the
bridge. (i.e. Packets coming from the network.)
I specifically asked to filter outgoing traffic. This one I don't
unterstand. Perhaps somebody knows a hint?

On the other hand this filter works as expected, no rule on "FO-vnetnn":
<filter name='my-no-mac-spoofing' priority='-800'>
  <rule action='drop' direction='out'>
    <all match='no' srcmacaddr='$MAC'/>
  </rule>
</filter>

I used libvirt with qemu on Ubuntu 13.10. (Version 1.1.1-0ubuntu8.5)

I am grateful for any helpful comments.

Sincerely

Matthias Babisch
IT/Organisation

*b+m Informatik AG*
Rotenhofer Weg 20
24109 Melsdorf

T +49 4340/404-1444
F +49 4340/404-111
M +49 160/8866426
matthias.babisch at bmiag.de

Aktuelle Informationen unter www.bmiag.de <%5C%22http://www.bmiag.de%5C%22>
Die b+m Informatik AG ist ein Unternehmen der Allgeier Gruppe
<%5C%22http://www.allgeier-holding.de%5C%22>

Vorsitzender des Aufsichtsrates: Dr. Marcus Goedsche
Vorstand: Dipl-Ing. Frank Mielke
Amtsgericht Kiel, HRB 5526

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20140306/77c65b15/attachment.htm>

More information about the libvirt-users mailing list