[libvirt-users] nwfilters seem fundamentally unusable or unfinished

J Mo jmomo at jmomo.net
Wed Dec 28 04:23:28 UTC 2016


I just spent the last four days working with nwfilters only to decide 
that they are apparently unusable. I've come to the mailing list seeking 
input on this subject.

First off, please forgive my offensiveness. I'm sure people worked hard 
on nwfilters and it looks like a lot of effort went into providing this 
functionality. This is also an extremely difficult subject to get right 
in the many possible use cases, so I'm very sympathetic to how difficult 
it would be to try and implement this. However, the existing system 
didn't work out for me, I've found a number of other people who are 
saying the same thing (it didn't work out for them), and I don't see any 
hope continuing down the path of trying to make it work.

For now, I've given up on nwfilters and I created a hook script that 
works with my existing iptables rules and applies network filter 
policies on specific VM/guests where needed.

If you are doing extensive VM network filtering in your environment, how 
did you do it?

I've listed a bunch of my gripes below. Please correct me if I've gotten 
anything wrong here. I'm new to nwfilters so maybe I overlooked 
something or I might just misunderstand the whole thing and could be 
totally wrong.

The first and primary problem that I have with nwfilters are that the 
documentation is poor. There is very little documentation which exists, 
and that which does exist seems like it was spat out just to fulfill 
business requirements that some documentation be produced, rather than 
an effort into creating good usable documentation. I've run into large 
amounts of undocumented behavior and I don't feel like reading the 
source code any further to figure out what the intent of these tools were.

My second big issue, and a clue very few people actually use nwfilters 
in the wild, is the low quantity of examples and how-to docs I found 
while googling. Complex examples just don't seem to exist. Further, of 
those complex examples I did find, people were often going down the 
route of creating their own hook script programs to replace nwfilters, 
indicating that this isn't just me.


I discovered that nwfilters do not play well with existing system 
iptables/ebtables rules. There is some good examples on this regarding 
Red Hat's firewalld and how libvirt's nwfilters does not play well 
together if you google around a little. It seems like this was just not 
considered in scope, or the assumption was that the local host would not 
have any existing iptables/ebtables rules and that libvirt would have 
complete control over the hypervisor host. There is no documented means 
of controlling where libvirt inserts it's rules into an existing set of 
rules, and libvirt creates numerous rules in both ebtables and iptables, 
making the problem even more complex.

nwfilter seems to have been designed with a bias towards 
user-networking. I am using bridged interfaces, and some features and 
virsh commands don't apply to this mode of operation.

I've been able to produce scenarios where nwfilter would abandon rules 
after changes had been made to running guests, and the only way I could 
get rid of them was manual intervention (iptables/ebtables -F -X).

There is no command/control to apply an existing nwfilter to a running 
guest, or to remove/clear the existing nwfilters on a running guest. 
This item is a huge indication that this isn't a production-ready 
feature set.

I think the worst problem I've run into, however, is that I was able to 
create very simple nwfilters that either broke networking of the 
hypervisor system (stopped all traffic), or failed to drop traffic which 
should have been dropped. I still don't understand why nwfilter is often 
creating rules in the ebtables "nat" table instead of the "filter" 
table, where they belong. That one right there is a huge WTF -- packets 
never get inspected because the rules are in the wrong table!

In general, I found the output iptables/ebables rules that nwfilter 
generated often did not reflect the obvious intent of the rules that 
went into the nwfilter xml configuration. This abstraction layer 
produces unreliable and/or confusing results. I put a series of rules 
into a nwfilter xml file and the iptables/ebtables rules that I get out 
are insane. Nwfilter rules in = mystery meat out.

Priorities are a huge WTF that caused me a lot of grief. Are rules going 
to be assembled in iptables/ebtables in the order which they are 
declared in XML? (this is undocumented) If so, why do priorities exist? 
(undocumented). What is the default priority? Is it zero? (undocumented).

Want to create a filter rule that will log certain packets? Apparently 
there is no logging functionality at all. Can't be done. Anything beyond 
the most basic packet allow/drop (even reject was an afterthought) isn't 
supported by nwfilter rules.

Thanks for reading

More information about the libvirt-users mailing list