[libvirt-users] Network filters with clean-traffic not working on Debian Stretch

Yalan Zhang yalzhang at redhat.com
Sat Dec 29 05:51:16 UTC 2018 

Hi Sam,

You can find the rules by below command, and it looks as below:
# ebtables -t nat --list
Bridge table: nat

Bridge chain: PREROUTING, entries: 2, policy: ACCEPT
-j PREROUTING_direct
-i vnet0 -j libvirt-I-vnet0

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-j OUTPUT_direct

Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT
-j POSTROUTING_direct
-o vnet0 -j libvirt-O-vnet0

Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN

Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN

Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN

Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
-j I-vnet0-mac
-p IPv4 -j I-vnet0-ipv4-ip
-p IPv4 -j ACCEPT
-p ARP -j I-vnet0-arp-mac
-p ARP -j I-vnet0-arp-ip
-p ARP -j ACCEPT
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT
-j DROP

Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p ARP -j ACCEPT
-p 0x8035 -j O-vnet0-rarp
-j DROP

Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT
-s 52:54:0:3a:40:b7 -j RETURN
-j DROP

Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 172.16.1.2 -j RETURN
-j DROP

Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT
-j ACCEPT

Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT
-p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN
-j DROP

Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT
-p ARP --arp-ip-src 172.16.1.2 -j RETURN
-j DROP

Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse
--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7
--arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT
-j DROP

Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
--arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst
52:54:0:3a:40:b7 -j ACCEPT
-j DROP

For interface set as:
    <interface type='bridge'>
      <mac address='52:54:00:3a:40:b7'/>
      <source bridge='br0'/>
      <target dev='vnet0'/>
      <model type='rtl8139'/>
      <filterref filter='clean-traffic'>
        <parameter name='IP' value='172.16.1.2'/>
      </filterref>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
    </interface>



-------
Best Regards,
Yalan Zhang
IRC: yalzhang


On Wed, Dec 26, 2018 at 12:28 AM fatal <fatal at mailbox.org> wrote:

> Hello,
>
> I'm recently stumbled over the libvirt network filter capabilities and
> got pretty excited. Unfortunately I'm not able to get the the
> "clean-traffic" filterset working. I'm using a freshly installed Debian
> Stretch with libvirt, qemu and KVM.
>
> My config snippet looks as follows:
>
> sudo virsh edit <VM>
>
> [...]
> <interface type='bridge'>
>   <mac address='52:54:00:0c:14:07'/>
>   <source bridge='br0'/>
>   <model type='virtio'/>
>   <filterref filter='clean-traffic'>
>     <parameter name='IP' value='10.10.1.2'/>
>    </filterref>
>   <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
> </interface>
> <interface type='bridge'>
>   <mac address='52:54:00:0c:24:17'/>
>   <source bridge='br1'/>
>   <model type='virtio'/>
>   <filterref filter='clean-traffic'>
>     <parameter name='IP' value='172.16.1.2'/>
>    </filterref>
>   <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
> </interface>
> [...]
>
> I restarted the VM from within the VM, did a "virsh reboot <VM>",
> restarted libvirtd and even did a reboot of the host - just to be sure.
> Unfortunately neither "iptables -L" nor "ebtables --list" show any
> entries added by libvirt. Also omitting the "parameter name='IP'" part
> didn't change anything.
>
> There are no error messages in /var/log/syslog nor in
> /var/log/libvirt/qemu/<VM>
>
> My main references were:
>
> https://libvirt.org/firewall.html
> https://libvirt.org/formatnwfilter.html
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering
>
> https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/
>
> Any help really would be much appreciated!
>
> Thanks a lot!
>
> Sam
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20181229/2fa20bb0/attachment.htm>

More information about the libvirt-users mailing list