libvirt users - Jun 2019 - Easy solution for custom firewall rules-

Nakta wrote:
> libvirts nwfilter module can achieve that.
I read over those resources and I did what I thought would be correct,
but it's not having any effect.

I created a new nwfilter like this:
<filter name='allow-virbr2-vpn' chain='ipv4'
priority='-700'>
  <rule action='accept' direction='in'
priority='500'>
    <all state='ESTABLISHED'/>
  </rule>
  <rule action='accept' direction='out'
priority='500'>
    <all state='ESTABLISHED,RELATED'/>
  </rule>
  <rule action='accept' direction='in'
priority='100'>
    <ip dstipaddr='192.168.8.0' dstipmask='24'/>
  </rule>
  <rule action='accept' direction='out'
priority='100'>
    <ip srcipaddr='192.168.8.0' srcipmask='24'/>
  </rule>
  <rule action='drop' direction='inout'
priority='500'>
    <all/>
  </rule>
</filter>

I then associated that filter with the Interface device on the VM
server within KVM... and shutdown/restart that VM.
 <interface type='network'>
      <mac address='XX:XX:XX:XX:XX:XX'/>
      <source network='locservers'/>
      <model type='virtio'/>
      <filterref filter='allow-virbr2-vpn'/>
      <address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
function='0x0'/>
    </interface>

After this, nothing happens.  I did 'ebtables --list', and the new
rules aren't there.  I also did the same with iptables as well as
firewalld itself.  The new rules are nowhere to be found.

What did I do incorrectly here?

Thanks!
-JK

On 6/2/19 10:02 PM, Joshua Kramer wrote:
> Nakta wrote:
>> libvirts nwfilter module can achieve that.
> 
> I read over those resources and I did what I thought would be correct,
> but it's not having any effect.
> 
> I created a new nwfilter like this:
> <filter name='allow-virbr2-vpn' chain='ipv4'
priority='-700'>
>    <rule action='accept' direction='in'
priority='500'>
>      <all state='ESTABLISHED'/>
>    </rule>
>    <rule action='accept' direction='out'
priority='500'>
>      <all state='ESTABLISHED,RELATED'/>
>    </rule>
>    <rule action='accept' direction='in'
priority='100'>
>      <ip dstipaddr='192.168.8.0' dstipmask='24'/>
>    </rule>
>    <rule action='accept' direction='out'
priority='100'>
>      <ip srcipaddr='192.168.8.0' srcipmask='24'/>
>    </rule>
>    <rule action='drop' direction='inout'
priority='500'>
>      <all/>
>    </rule>
> </filter>
> 
> I then associated that filter with the Interface device on the VM
> server within KVM... and shutdown/restart that VM.
>   <interface type='network'>
>        <mac address='XX:XX:XX:XX:XX:XX'/>
>        <source network='locservers'/>
>        <model type='virtio'/>
>        <filterref filter='allow-virbr2-vpn'/>
>        <address type='pci' domain='0x0000'
bus='0x00' slot='0x03'
> function='0x0'/>
>      </interface>
> 
> After this, nothing happens.  I did 'ebtables --list', and the new
> rules aren't there.
Try "ebtables -t nat -L", although as I said in the other message I
just
posted, it's not going to do what you need anyway, because these rules 
will be applied *in addition to* the network's iptables rules, not 
*instead of*.