[libvirt-users] Network filters with clean-traffic not working on Debian Stretch

[Laine Stump]

On 12/29/18 5:51 AM, fatal wrote:
> Dear Yalang,
> 
> that did the trick. If I look in the NAT table of the bridge I can see
> the generated rules. Probably wouldn't have though about that ever.

Yes, it is fairly strange that rules to filter traffic are in a table 
called "nat". My understanding is that it was implemented this way in 
order to avoid duplicating all the rules in both the input and forward 
chains (or something like that).


> 
> Thanks a lot!
> 
> Best
> 
> Sam
> 
> 
> On 29.12.18 06:51, Yalan Zhang wrote:
>> Hi Sam,
>>
>> You can find the rules by below command, and it looks as below:
>> # ebtables -t nat --list
>> Bridge table: nat
>>
>> Bridge chain: PREROUTING, entries: 2, policy: ACCEPT
>> -j PREROUTING_direct
>> -i vnet0 -j libvirt-I-vnet0
>>
>> Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
>> -j OUTPUT_direct
>>
>> Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT
>> -j POSTROUTING_direct
>> -o vnet0 -j libvirt-O-vnet0
>>
>> Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN
>>
>> Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN
>>
>> Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN
>>
>> Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
>> -j I-vnet0-mac
>> -p IPv4 -j I-vnet0-ipv4-ip
>> -p IPv4 -j ACCEPT
>> -p ARP -j I-vnet0-arp-mac
>> -p ARP -j I-vnet0-arp-ip
>> -p ARP -j ACCEPT
>> -p 0x8035 -j I-vnet0-rarp
>> -p 0x835 -j ACCEPT
>> -j DROP
>>
>> Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT
>> -p IPv4 -j O-vnet0-ipv4
>> -p ARP -j ACCEPT
>> -p 0x8035 -j O-vnet0-rarp
>> -j DROP
>>
>> Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT
>> -s 52:54:0:3a:40:b7 -j RETURN
>> -j DROP
>>
>> Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT
>> -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
>> -p IPv4 --ip-src 172.16.1.2 -j RETURN
>> -j DROP
>>
>> Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT
>> -j ACCEPT
>>
>> Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT
>> -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN
>> -j DROP
>>
>> Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT
>> -p ARP --arp-ip-src 172.16.1.2 -j RETURN
>> -j DROP
>>
>> Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
>> -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse
>> --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7
>> --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT
>> -j DROP
>>
>> Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
>> -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
>> --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst
>> 52:54:0:3a:40:b7 -j ACCEPT
>> -j DROP
>>
>> For interface set as:
>>      <interface type='bridge'>
>>        <mac address='52:54:00:3a:40:b7'/>
>>        <source bridge='br0'/>
>>        <target dev='vnet0'/>
>>        <model type='rtl8139'/>
>>        <filterref filter='clean-traffic'>
>>          <parameter name='IP' value='172.16.1.2'/>
>>        </filterref>
>>        <alias name='net0'/>
>>        <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
>> function='0x0'/>
>>      </interface>
>>
>>
>>
>> -------
>> Best Regards,
>> Yalan Zhang
>> IRC: yalzhang
> 
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
>