11:49 p.m.
I have the need to modify the behavior of the virtual network driver's
behavior and how it deals with routed networks. I'm running
libvirt-0.8.3-2.fc14.
According to http://libvirt.org/firewall.html, the following is
automatically added to the FORWARD chain of iptables when a network type
of "routed" is started up:
"Allow inbound, but only to our expected subnet. Allow outbound, but only
from our expected subnet. Allow traffic between guests. Deny all other
inbound. Deny all other outbound. "
The part of this that I need to adjust is the fact that only IPs on my
subnet will be allowed in and out. I have IP addresses assigned to my
guests that have static routes configured on the hypervisor to route to
the local bridged interface. I have to do this due to the way the
surrounding routers and switches on the network are configured to handle
public IP addresses and MAC address filtering. Here is an example of my
config where the public IP address on the guest machine is 1.1.2.2:
My network to do the routing mode:
<network>
<name>local</name>
<forward dev='eth0' mode='route'/>
<bridge name='virbr_local' stp='on' delay='0' />
<ip address='192.168.122.1' netmask='255.255.255.0'/>
</network>
The network portion of the domain:
<interface type='network'>
<mac address='xx:xx:xx:cc:xx:xx'/>
<source network='local'/>
<target dev='vnet0'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x02'
function='0x0'/>
</interface>
And finally the static route configured on the hypervisor to get the
routed traffic from eth0 on the hypervisor down to the virbr_local device:
# ip route add 1.1.2.2 dev virbr_local
This will setup the iptables filters just as the documentation defines,
but the problem is that all traffic from the guest will get REJECTED by
iptables due to the source and destination IP not falling within
192.168.122.0/24.
I've tried adding a custom filter into the network filter driver, but
haven't had much luck. Here are some of the things that I've tried.
The custom network filter. Notice that I'm using tcp, udp, and icmp
specifically. I'm doing this so it will force inclusion into the iptables
filtering rules rather than ebtables.
<filter name='my-static-ip' chain='root'>
<rule action='accept' direction='out' priority='500'>
<tcp srcipaddr='$MYIP'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<udp srcipaddr='$MYIP'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<icmp srcipaddr='$MYIP'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<tcp dstipaddr='$MYIP'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<udp dstipaddr='$MYIP'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<icmp dstipaddr='$MYIP'/>
</rule>
</filter>
And the modifications made to the domain's network interface definition:
<interface type='network'>
<mac address='xx:xx:xx:xx'/>
<source network='local'/>
<target dev='vnet0'/>
<filterref filter='my-static-ip'>
<parameter name='MYIP' value=1.1.2.2'/>
</filterref>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x02'
function='0x0'/>
</interface>
With the exception of simply manually adding iptables rules in place after
I start the network using virsh, does anyone know how to accomplish what
I'm trying to do?
Ryan Sumner