nwfilter direction not being used when protocol all
Jason Pyeron
jpyeron at pdinc.us
Mon Oct 11 12:49:25 UTC 2021
Watson / Kyle:
(note I coped the list)
While I read https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMisc , it is not clear that it is intended to add the iptables action without regard to the rule’s direction.
Take the following rule scenarios:
<rule action='accept' direction='in' priority='500' statematch='false'>
<tcp dstportstart='22'/>
</rule>
<rule action='drop' direction='in' priority='1000'>
<all/>
</rule>
# iptables-save | grep vnet5 | tee in
:FI-vnet5 - [0:0]
:FO-vnet5 - [0:0]
:HI-vnet5 - [0:0]
-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A FI-vnet5 -j DROP
-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
-A FO-vnet5 -j DROP
-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A HI-vnet5 -j DROP
-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5
<rule action='accept' direction='in' priority='500' statematch='false'>
<tcp dstportstart='22'/>
</rule>
<rule action='drop' direction='out' priority='1000'>
<all/>
</rule>
# iptables-save | grep vnet5 | tee out
:FI-vnet5 - [0:0]
:FO-vnet5 - [0:0]
:HI-vnet5 - [0:0]
-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A FI-vnet5 -j DROP
-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
-A FO-vnet5 -j DROP
-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A HI-vnet5 -j DROP
-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5
<rule action='accept' direction='in' priority='500' statematch='false'>
<tcp dstportstart='22'/>
</rule>
<rule action='drop' direction='inout' priority='1000'>
<all/>
</rule>
# iptables-save | grep vnet5 | tee inout
:FI-vnet5 - [0:0]
:FO-vnet5 - [0:0]
:HI-vnet5 - [0:0]
-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A FI-vnet5 -j DROP
-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
-A FO-vnet5 -j DROP
-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A HI-vnet5 -j DROP
-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5
We note that the
-A HI-vnet5 -j DROP
-A FI-vnet5 -j DROP
-A FO-vnet5 -j DROP
Is present without regards to the state of the direction attribute on the “default” drop rule.
If the direction is “in” then the “-A FI-vnet5 -j DROP” should not exists.
What does the source code say? I worry that either the docs are imprecise and this is desired, or there is a bug and I can end up like https://superuser.com/questions/1660080/in-libvirt-network-filters-nwfilter-what-does-the-all-protocol-type-indicat
As this is going to be a generic rule, applied many times – I would prefer not to have mac based source allow rules.
-Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20211011/e207710b/attachment.htm>
More information about the libvirt-users
mailing list