libvirt users - Jul 2013 - Re: The firewall just doesn't make any sense

Could *somebody* shed some light on how the firewall is supposed to
work? I haven't even managed to get trivial firewall rules to work. As
mentioned, the examples in the documentation generate completely
nonsensical rulesets, and if I try writing my own, they make even less
sense.

For example:
> <filter name='test-eth0' chain='root'>
>   <rule action='drop' direction='in'
priority='900'>
>     <all state='NEW'/>
>   </rule>
> </filter>
Generates the following iptables rules: https://up.tao.at/u/DE7E2638.txt

...and will not filter anything.
> <filter name='test-eth0' chain='root'>
>   <rule action='accept' direction='in'
priority='500'>
>     <tcp srcipaddr='192.168.17.127'
dstportstart='22'/>
>   </rule>
>   <rule action='drop' direction='in'
priority='900'>
>     <all/>
>   </rule>
> </filter>
Will filter port 22 as well. The generated iptables rules are as
following: https://up.tao.at/u/423CFFE9.txt
The *input* rules have the *source* address set as *destination*. Is
this a bug in libvirt/iptables?


-- 
Mit freundlichen Grüßen, / Best Regards,
Sven SCHWEDAS
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167
http://software.tao.at

On Mon, Jul 15, 2013 at 12:52:20PM +0200, Sven Schwedas
wrote:
> Could *somebody* shed some light on how the firewall is supposed to
> work? I haven't even managed to get trivial firewall rules to work. As
> mentioned, the examples in the documentation generate completely
> nonsensical rulesets, and if I try writing my own, they make even less
> sense.
> 
> For example:
> > <filter name='test-eth0' chain='root'>
> >   <rule action='drop' direction='in'
priority='900'>
> >     <all state='NEW'/>
> >   </rule>
> > </filter>
> 
> Generates the following iptables rules: https://up.tao.at/u/DE7E2638.txt
> 
> ...and will not filter anything.
NB 95% of the rules libvirt creates are done at the ebtables
level rather than iptables/ip6tables.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

On 15.07.2013 12:57, Daniel P. Berrange wrote:
> On Mon, Jul 15, 2013 at 12:52:20PM +0200, Sven Schwedas wrote:
>> Could *somebody* shed some light on how the firewall is supposed to
>> work? I haven't even managed to get trivial firewall rules to work.
As
>> mentioned, the examples in the documentation generate completely
>> nonsensical rulesets, and if I try writing my own, they make even less
>> sense.
>>
>> For example:
>>> <filter name='test-eth0' chain='root'>
>>>   <rule action='drop' direction='in'
priority='900'>
>>>     <all state='NEW'/>
>>>   </rule>
>>> </filter>
>>
>> Generates the following iptables rules:
https://up.tao.at/u/DE7E2638.txt
>>
>> ...and will not filter anything.
> 
> NB 95% of the rules libvirt creates are done at the ebtables
> level rather than iptables/ip6tables.
Said filter set did not generate any ebtables entries. Complete output
for ip- and ebtables: https://up.tao.at/u/17C4B040.txt
> 
> Daniel
> 
-- 
Mit freundlichen Grüßen, / Best Regards,
Sven SCHWEDAS
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167
http://software.tao.at