[libvirt-users] Network filters with clean-traffic not working on Debian Stretch

fatal fatal at mailbox.org
Sat Dec 29 10:51:47 UTC 2018 

Dear Yalang,

that did the trick. If I look in the NAT table of the bridge I can see
the generated rules. Probably wouldn't have though about that ever.

Thanks a lot!

Best

Sam


On 29.12.18 06:51, Yalan Zhang wrote:
> Hi Sam,
> 
> You can find the rules by below command, and it looks as below:
> # ebtables -t nat --list
> Bridge table: nat
> 
> Bridge chain: PREROUTING, entries: 2, policy: ACCEPT
> -j PREROUTING_direct
> -i vnet0 -j libvirt-I-vnet0
> 
> Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
> -j OUTPUT_direct
> 
> Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT
> -j POSTROUTING_direct
> -o vnet0 -j libvirt-O-vnet0
> 
> Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN
> 
> Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN
> 
> Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN
> 
> Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
> -j I-vnet0-mac
> -p IPv4 -j I-vnet0-ipv4-ip
> -p IPv4 -j ACCEPT
> -p ARP -j I-vnet0-arp-mac
> -p ARP -j I-vnet0-arp-ip
> -p ARP -j ACCEPT
> -p 0x8035 -j I-vnet0-rarp
> -p 0x835 -j ACCEPT
> -j DROP
> 
> Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT
> -p IPv4 -j O-vnet0-ipv4
> -p ARP -j ACCEPT
> -p 0x8035 -j O-vnet0-rarp
> -j DROP
> 
> Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT
> -s 52:54:0:3a:40:b7 -j RETURN
> -j DROP
> 
> Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT
> -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
> -p IPv4 --ip-src 172.16.1.2 -j RETURN
> -j DROP
> 
> Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT
> -j ACCEPT
> 
> Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT
> -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN
> -j DROP
> 
> Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT
> -p ARP --arp-ip-src 172.16.1.2 -j RETURN
> -j DROP
> 
> Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
> -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse
> --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7
> --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT
> -j DROP
> 
> Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
> -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
> --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst
> 52:54:0:3a:40:b7 -j ACCEPT
> -j DROP
> 
> For interface set as:
>     <interface type='bridge'>
>       <mac address='52:54:00:3a:40:b7'/>
>       <source bridge='br0'/>
>       <target dev='vnet0'/>
>       <model type='rtl8139'/>
>       <filterref filter='clean-traffic'>
>         <parameter name='IP' value='172.16.1.2'/>
>       </filterref>
>       <alias name='net0'/>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
>     </interface>
> 
> 
> 
> -------
> Best Regards,
> Yalan Zhang
> IRC: yalzhang

More information about the libvirt-users mailing list