On 05/27/2014 02:46 AM, Brian Rak wrote:
> Make sure you have:
>
> /proc/sys/net/bridge/bridge-nf-call-iptables = 1
That doesn't make sense. bridge-nf-call-iptables controls whether or not
traffic going across a Linux host bridge device will be sent through
iptables, but the rules created by nwfilter are applied to the "vnetX"
tap devices that connect the guest to the bridge, not to the bridge itself.
It may
not make sense to you, but that is what's necessary for nwfilter
to work. You can even look at the code:
> On 5/26/2014 1:35 PM, Matt LaPlante wrote:
>> I'm trying to accomplish what I had hoped would be a fairly simple
>> filtering of traffic to my VMs, but I'm hitting a snag. The VMs are
>> allowing traffic when I wouldn't expect them to.
>>
>> Host and Guest are both running the same platform:
>> Ubuntu 12.04.4 LTS
>> 0.9.8-2ubuntu17.19
>>
>> I have a basic bridge enabled on the host:
>> brctl addbr brdg
>> brctl addif brdg eth1
>> ip link set brdg up
>>
>> The host has iptables support:
>> root@host:~# lsmod | grep filt
>> ip6table_filter 12815 0
>> ip6_tables 27864 2 ip6table_filter,xt_TPROXY
>> iptable_filter 12810 1
>> ip_tables 27473 4
>> iptable_raw,iptable_nat,iptable_mangle,iptable_filter
>> x_tables 29891 52
>>
ebt_arp,ebt_ip,ip6table_filter,ebtables,xt_time,xt_connlimit,xt_realm,xt_addrtype,iptable_raw,xt_comment,xt_recent,xt_policy,ipt_ULOG,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,xt_set,xt_TPROXY,ip6_tables,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_connmark,xt_CLASSIFY,xt_AUDIT,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,iptable_mangle,iptable_filter,ip_tables
>>
>>
>> Guest network using bridge:
>> <interface type='bridge'>
>> <mac address='00:11:22:33:44:55'/>
>> <source bridge='brdg'/>
>> <model type='virtio'/>
>> <filterref filter='outbound-only'/>
>> <address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
>> function='0x0'/>
>> </interface>
>>
>> <filter name='outbound-only' chain='root'>
>> <uuid>0c834381-402c-faf3-019f-eb5a40ea6b61</uuid>
>> <filterref filter='allow-arp'/>
>> <filterref filter='allow-dhcp'/>
>> <filterref filter='qemu-announce-self'/>
>> <filterref filter='no-other-l2-traffic'/>
>> </filter>
Comparing the examples on this page:
http://libvirt.org/formatnwfilter.html
to the contents of the no-other-l2-traffic filter, I see that the
manually constructed examples of "block all other traffic" on that page
include an <all/> element in the filter. Possibly that was accidentally
left out of the no-other-l2-traffic filter, so it isn't actually
blocking anything? (that's just a guess, as I don't personally use
nwfilter and don't have time to try it out right now)
>> My goal is to allow the guest to reach the internet, but not allow the
>> internet or other guests to reach this guest. I realize this config
>> is not sufficient for that, but I can't get any farther until I
>> understand the current behavior. From the look of the config, this
>> should essentially not be allowing anything except arp and dhcp. And
>> yet, the host has full connectivity. I can run apt-get update on the
>> VM, I can ping the VM from other nodes in my network, etc. It's
>> basically wide-open. So either one of the included rules is not
>> working as advertised, or I'm misunderstanding some feature of the
>> filtering process.