[libvirt-users] nwfilter usage

Matt LaPlante cybrmatt at gmail.com
Mon May 26 17:35:58 UTC 2014 

I'm trying to accomplish what I had hoped would be a fairly simple
filtering of traffic to my VMs, but I'm hitting a snag.  The VMs are
allowing traffic when I wouldn't expect them to.

Host and Guest are both running the same platform:
Ubuntu 12.04.4 LTS
0.9.8-2ubuntu17.19

I have a basic bridge enabled on the host:
brctl addbr brdg
brctl addif brdg eth1
ip link set brdg up

The host has iptables support:
root at host:~# lsmod | grep filt
ip6table_filter        12815  0
ip6_tables             27864  2 ip6table_filter,xt_TPROXY
iptable_filter         12810  1
ip_tables              27473  4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
x_tables               29891  52
ebt_arp,ebt_ip,ip6table_filter,ebtables,xt_time,xt_connlimit,xt_realm,xt_addrtype,iptable_raw,xt_comment,xt_recent,xt_policy,ipt_ULOG,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,xt_set,xt_TPROXY,ip6_tables,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_connmark,xt_CLASSIFY,xt_AUDIT,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,iptable_mangle,iptable_filter,ip_tables

Guest network using bridge:
<interface type='bridge'>
  <mac address='00:11:22:33:44:55'/>
  <source bridge='brdg'/>
  <model type='virtio'/>
  <filterref filter='outbound-only'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>

<filter name='outbound-only' chain='root'>
  <uuid>0c834381-402c-faf3-019f-eb5a40ea6b61</uuid>
  <filterref filter='allow-arp'/>
  <filterref filter='allow-dhcp'/>
  <filterref filter='qemu-announce-self'/>
  <filterref filter='no-other-l2-traffic'/>
</filter>

My goal is to allow the guest to reach the internet, but not allow the
internet or other guests to reach this guest.  I realize this config
is not sufficient for that, but I can't get any farther until I
understand the current behavior.  From the look of the config, this
should essentially not be allowing anything except arp and dhcp.  And
yet, the host has full connectivity.  I can run apt-get update on the
VM, I can ping the VM from other nodes in my network, etc.  It's
basically wide-open.  So either one of the included rules is not
working as advertised, or I'm misunderstanding some feature of the
filtering process.

Any pointers would be appreciated.  Thanks

More information about the libvirt-users mailing list