> -----Original Message-----
> From: Jason Pyeron
> Sent: Monday, October 11, 2021 8:49 AM
> To: Kyle Marek; Michael Watson Jr
> Cc: libvirt-users
>
> Watson / Kyle:
>
> (note I coped the list)
>
> While I read https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMisc
, it is not
> clear that it is intended to add the iptables action without regard to the
rule?s
> direction.
>
> Take the following rule scenarios:
>
> <rule action='accept' direction='in'
priority='500' statematch='false'>
> <tcp dstportstart='22'/>
> </rule>
> <rule action='drop' direction='in'
priority='1000'>
> <all/>
> </rule>
>
> # iptables-save | grep vnet5 | tee in
> :FI-vnet5 - [0:0]
> :FO-vnet5 - [0:0]
> :HI-vnet5 - [0:0]
> -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
> -A FI-vnet5 -j DROP
> -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
> -A FO-vnet5 -j DROP
> -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
> -A HI-vnet5 -j DROP
> -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
> -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
> -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
> -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g
FO-vnet5
>
> <rule action='accept' direction='in'
priority='500' statematch='false'>
> <tcp dstportstart='22'/>
> </rule>
> <rule action='drop' direction='out'
priority='1000'>
> <all/>
> </rule>
>
> # iptables-save | grep vnet5 | tee out
> :FI-vnet5 - [0:0]
> :FO-vnet5 - [0:0]
> :HI-vnet5 - [0:0]
> -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
> -A FI-vnet5 -j DROP
> -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
> -A FO-vnet5 -j DROP
> -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
> -A HI-vnet5 -j DROP
> -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
> -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
> -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
> -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g
FO-vnet5
>
> <rule action='accept' direction='in'
priority='500' statematch='false'>
> <tcp dstportstart='22'/>
> </rule>
> <rule action='drop' direction='inout'
priority='1000'>
> <all/>
> </rule>
>
> # iptables-save | grep vnet5 | tee inout
> :FI-vnet5 - [0:0]
> :FO-vnet5 - [0:0]
> :HI-vnet5 - [0:0]
> -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
> -A FI-vnet5 -j DROP
> -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
> -A FO-vnet5 -j DROP
> -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
> -A HI-vnet5 -j DROP
> -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
> -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
> -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
> -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g
FO-vnet5
>
> We note that the
>
> -A HI-vnet5 -j DROP
> -A FI-vnet5 -j DROP
> -A FO-vnet5 -j DROP
>
> Is present without regards to the state of the direction attribute on the
?default? drop
> rule.
>
> If the direction is ?in? then the ?-A FI-vnet5 -j DROP? should not exists.
>
> What does the source code say? I worry that either the docs are imprecise
and this is
> desired, or there is a bug and I can end up like
After looking at libvirt-4.5.0/src/nwfilter/nwfilter_ebiptables_driver.c's
_iptablesCreateRuleInstance and iptablesCreateRuleInstanceStateCtrl, I saw the
if statements like the below.
1598 if (directionIn && !inout) {
1599 if ((rule->flags & IPTABLES_STATE_FLAGS))
1600 create = false;
1601 }
1629 if (!directionIn) {
1630 if ((rule->flags & IPTABLES_STATE_FLAGS))
1631 create = false;
1632 }
Is the only way to respect the direction is to have <all
state='something...'/> ?
If that is the case the docs, really need an update to note this.
For others, my deny inbound, allow outbound was accomplished by:
<rule action='accept' direction='in'
priority='999'>
<all state='ESTABLISHED,RELATED'/>
</rule>
<rule action='drop' direction='in'
priority='1000'>
<all state='NONE'/>
</rule>
-Jason