fatal
2018-Dec-25 16:27 UTC
[libvirt-users] Network filters with clean-traffic not working on Debian Stretch
Hello, I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac address='52:54:00:0c:14:07'/> <source bridge='br0'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.10.1.2'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <interface type='bridge'> <mac address='52:54:00:0c:24:17'/> <source bridge='br1'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='172.16.1.2'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> [...] I restarted the VM from within the VM, did a "virsh reboot <VM>", restarted libvirtd and even did a reboot of the host - just to be sure. Unfortunately neither "iptables -L" nor "ebtables --list" show any entries added by libvirt. Also omitting the "parameter name='IP'" part didn't change anything. There are no error messages in /var/log/syslog nor in /var/log/libvirt/qemu/<VM> My main references were: https://libvirt.org/firewall.html https://libvirt.org/formatnwfilter.html https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/ Any help really would be much appreciated! Thanks a lot! Sam
Yalan Zhang
2018-Dec-29 05:51 UTC
Re: [libvirt-users] Network filters with clean-traffic not working on Debian Stretch
Hi Sam, You can find the rules by below command, and it looks as below: # ebtables -t nat --list Bridge table: nat Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0 Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0 Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT -j I-vnet0-mac -p IPv4 -j I-vnet0-ipv4-ip -p IPv4 -j ACCEPT -p ARP -j I-vnet0-arp-mac -p ARP -j I-vnet0-arp-ip -p ARP -j ACCEPT -p 0x8035 -j I-vnet0-rarp -p 0x835 -j ACCEPT -j DROP Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT -p IPv4 -j O-vnet0-ipv4 -p ARP -j ACCEPT -p 0x8035 -j O-vnet0-rarp -j DROP Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT -s 52:54:0:3a:40:b7 -j RETURN -j DROP Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN -p IPv4 --ip-src 172.16.1.2 -j RETURN -j DROP Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT -j ACCEPT Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN -j DROP Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT -p ARP --arp-ip-src 172.16.1.2 -j RETURN -j DROP Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP For interface set as: <interface type='bridge'> <mac address='52:54:00:3a:40:b7'/> <source bridge='br0'/> <target dev='vnet0'/> <model type='rtl8139'/> <filterref filter='clean-traffic'> <parameter name='IP' value='172.16.1.2'/> </filterref> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> ------- Best Regards, Yalan Zhang IRC: yalzhang On Wed, Dec 26, 2018 at 12:28 AM fatal <fatal@mailbox.org> wrote:> Hello, > > I'm recently stumbled over the libvirt network filter capabilities and > got pretty excited. Unfortunately I'm not able to get the the > "clean-traffic" filterset working. I'm using a freshly installed Debian > Stretch with libvirt, qemu and KVM. > > My config snippet looks as follows: > > sudo virsh edit <VM> > > [...] > <interface type='bridge'> > <mac address='52:54:00:0c:14:07'/> > <source bridge='br0'/> > <model type='virtio'/> > <filterref filter='clean-traffic'> > <parameter name='IP' value='10.10.1.2'/> > </filterref> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> > <interface type='bridge'> > <mac address='52:54:00:0c:24:17'/> > <source bridge='br1'/> > <model type='virtio'/> > <filterref filter='clean-traffic'> > <parameter name='IP' value='172.16.1.2'/> > </filterref> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> > [...] > > I restarted the VM from within the VM, did a "virsh reboot <VM>", > restarted libvirtd and even did a reboot of the host - just to be sure. > Unfortunately neither "iptables -L" nor "ebtables --list" show any > entries added by libvirt. Also omitting the "parameter name='IP'" part > didn't change anything. > > There are no error messages in /var/log/syslog nor in > /var/log/libvirt/qemu/<VM> > > My main references were: > > https://libvirt.org/firewall.html > https://libvirt.org/formatnwfilter.html > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering > > https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/ > > Any help really would be much appreciated! > > Thanks a lot! > > Sam > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users >
fatal
2018-Dec-29 10:51 UTC
Re: [libvirt-users] Network filters with clean-traffic not working on Debian Stretch
Dear Yalang, that did the trick. If I look in the NAT table of the bridge I can see the generated rules. Probably wouldn't have though about that ever. Thanks a lot! Best Sam On 29.12.18 06:51, Yalan Zhang wrote:> Hi Sam, > > You can find the rules by below command, and it looks as below: > # ebtables -t nat --list > Bridge table: nat > > Bridge chain: PREROUTING, entries: 2, policy: ACCEPT > -j PREROUTING_direct > -i vnet0 -j libvirt-I-vnet0 > > Bridge chain: OUTPUT, entries: 1, policy: ACCEPT > -j OUTPUT_direct > > Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT > -j POSTROUTING_direct > -o vnet0 -j libvirt-O-vnet0 > > Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN > > Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN > > Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN > > Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT > -j I-vnet0-mac > -p IPv4 -j I-vnet0-ipv4-ip > -p IPv4 -j ACCEPT > -p ARP -j I-vnet0-arp-mac > -p ARP -j I-vnet0-arp-ip > -p ARP -j ACCEPT > -p 0x8035 -j I-vnet0-rarp > -p 0x835 -j ACCEPT > -j DROP > > Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT > -p IPv4 -j O-vnet0-ipv4 > -p ARP -j ACCEPT > -p 0x8035 -j O-vnet0-rarp > -j DROP > > Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT > -s 52:54:0:3a:40:b7 -j RETURN > -j DROP > > Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT > -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN > -p IPv4 --ip-src 172.16.1.2 -j RETURN > -j DROP > > Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT > -j ACCEPT > > Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT > -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN > -j DROP > > Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT > -p ARP --arp-ip-src 172.16.1.2 -j RETURN > -j DROP > > Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT > -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse > --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 > --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT > -j DROP > > Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT > -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 > --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst > 52:54:0:3a:40:b7 -j ACCEPT > -j DROP > > For interface set as: > <interface type='bridge'> > <mac address='52:54:00:3a:40:b7'/> > <source bridge='br0'/> > <target dev='vnet0'/> > <model type='rtl8139'/> > <filterref filter='clean-traffic'> > <parameter name='IP' value='172.16.1.2'/> > </filterref> > <alias name='net0'/> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> > > > > ------- > Best Regards, > Yalan Zhang > IRC: yalzhang
Reasonably Related Threads
- Re: Network filters with clean-traffic not working on Debian Stretch
- Re: Network filters with clean-traffic not working on Debian Stretch
- Getting nwfilter to work on Debian Wheezy
- FYI: a short guide to libvirt & network filtering iptables/ebtables use
- Re: nwfilter usage