Maciej GaĆkiewicz
2013-Apr-23 13:25 UTC
[libvirt-users] Lack of ebtables rules when using nwfilters
Hi
I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt
is not creating ebtables rules against arp spoofing etc. Here are my
configs:
VM definition:
<domain type='xen'>
<uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid>
<name>instance-00000168</name>
<memory>2097152</memory>
<os>
<type>linux</type>
<root>/dev/xvda</root>
<kernel>/var/lib/nova/instances/instance-00000168/kernel</kernel>
<cmdline>ro</cmdline>
<initrd>/var/lib/nova/instances/instance-00000168/ramdisk</initrd>
</os>
<features>
<acpi/>
</features>
<vcpu>2</vcpu>
<devices>
<disk type='file' device='disk'>
<driver type='raw' cache='none'/>
<source
file='/var/lib/nova/instances/instance-00000168/disk'/>
<target dev='sda' bus='scsi'/>
</disk>
<disk type='file'>
<driver type='raw' cache='none'/>
<source
file='/var/lib/nova/instances/instance-00000168/disk.swap'/>
<target dev='sdb' bus='scsi'/>
</disk>
<interface type='bridge'>
<source bridge='br0'/>
<mac address='fa:16:3e:1e:70:87'/>
<filterref
filter="nova-instance-instance-00000168-fa163e1e7087">
<parameter name="IP" value="10.255.0.114"
/>
<parameter name="DHCPSERVER"
value="10.255.0.3" />
</filterref>
</interface>
<console type='pty'/>
<graphics type='vnc' port='-1' autoport='yes'
keymap='en-us'
listen='127.0.0.1'/>
</devices>
</domain>
# virsh nwfilter-dumpxml nova-instance-instance-00000168-fa163e1e7087
<filter name='nova-instance-instance-00000168-fa163e1e7087'
chain='root'>
<uuid>b6475525-5901-aeab-4ed0-dc0d7b545aea</uuid>
<filterref filter='nova-base'/>
</filter>
# virsh nwfilter-dumpxml nova-base
<filter name='nova-base' chain='root'>
<uuid>197b7f7a-389c-bd6d-6b77-07b88d3d9138</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
<filterref filter='no-arp-spoofing'/>
</filter>
# ebtables -t nat -L
Bridge table: nat
Bridge chain: PREROUTING, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
logs:
2013-04-23 10:47:37.438+0000: 30155: debug : virNWFilterDefineXML:16099 :
conn=0x1331ff0, xmlDesc=<filter
name='nova-instance-instance-00000167-fa163e4faae5' chain='roo
t'><filterref filter='nova-base'/></filter>
2013-04-23 10:47:37.544+0000: 30155: debug : virNWFilterFree:15971 :
nwfilter=0x7f18400bc2b0
2013-04-23 10:47:37.544+0000: 30155: debug : virUnrefNWFilter:1262 : unref
nwfilter 0x7f18400bc2b0 nova-instance-instance-00000167-fa163e4faae5 1
2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1222 :
release nwfilter 0x7f18400bc2b0
nova-instance-instance-00000167-fa163e4faae5 875ff1e5-fc4d-2fca-9
da2-f163f273ad6a
2013-04-23 10:47:37.544+0000: 30155: debug : virReleaseNWFilter:1229 :
unref connection 0x1331ff0 2
regards
Maciej Ga?kiewicz
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20130423/5a00b105/attachment.htm>
Daniel P. Berrange
2013-Apr-23 16:41 UTC
[libvirt-users] Lack of ebtables rules when using nwfilters
On Tue, Apr 23, 2013 at 03:25:35PM +0200, Maciej Ga?kiewicz wrote:> Hi > > I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt > is not creating ebtables rules against arp spoofing etc. Here are my > configs:The Xen driver in libvirt does not support the nwfilter technology. This only works with KVM, LXC or UML drivers at this time. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|