[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt-users] nwfilter usage

I'm trying to accomplish what I had hoped would be a fairly simple
filtering of traffic to my VMs, but I'm hitting a snag.  The VMs are
allowing traffic when I wouldn't expect them to.

Host and Guest are both running the same platform:
Ubuntu 12.04.4 LTS

I have a basic bridge enabled on the host:
brctl addbr brdg
brctl addif brdg eth1
ip link set brdg up

The host has iptables support:
root host:~# lsmod | grep filt
ip6table_filter        12815  0
ip6_tables             27864  2 ip6table_filter,xt_TPROXY
iptable_filter         12810  1
ip_tables              27473  4
x_tables               29891  52

Guest network using bridge:
<interface type='bridge'>
  <mac address='00:11:22:33:44:55'/>
  <source bridge='brdg'/>
  <model type='virtio'/>
  <filterref filter='outbound-only'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>

<filter name='outbound-only' chain='root'>
  <filterref filter='allow-arp'/>
  <filterref filter='allow-dhcp'/>
  <filterref filter='qemu-announce-self'/>
  <filterref filter='no-other-l2-traffic'/>

My goal is to allow the guest to reach the internet, but not allow the
internet or other guests to reach this guest.  I realize this config
is not sufficient for that, but I can't get any farther until I
understand the current behavior.  From the look of the config, this
should essentially not be allowing anything except arp and dhcp.  And
yet, the host has full connectivity.  I can run apt-get update on the
VM, I can ping the VM from other nodes in my network, etc.  It's
basically wide-open.  So either one of the included rules is not
working as advertised, or I'm misunderstanding some feature of the
filtering process.

Any pointers would be appreciated.  Thanks

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]