Watson / Kyle:
(note I coped the list)
While I read https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMisc , it is not clear that it is intended to add the iptables action without regard to the rule’s direction.
Take the following rule scenarios:
<rule action='accept' direction='in' priority='500' statematch='false'>
<tcp dstportstart='22'/>
</rule>
<rule action='drop' direction='in' priority='1000'>
<all/>
</rule>
# iptables-save | grep vnet5 | tee in
:FI-vnet5 - [0:0]
:FO-vnet5 - [0:0]
:HI-vnet5 - [0:0]
-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A FI-vnet5 -j DROP
-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
-A FO-vnet5 -j DROP
-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A HI-vnet5 -j DROP
-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5
<rule action='accept' direction='in' priority='500' statematch='false'>
<tcp dstportstart='22'/>
</rule>
<rule action='drop' direction='out' priority='1000'>
<all/>
</rule>
# iptables-save | grep vnet5 | tee out
:FI-vnet5 - [0:0]
:FO-vnet5 - [0:0]
:HI-vnet5 - [0:0]
-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A FI-vnet5 -j DROP
-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
-A FO-vnet5 -j DROP
-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A HI-vnet5 -j DROP
-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5
<rule action='accept' direction='in' priority='500' statematch='false'>
<tcp dstportstart='22'/>
</rule>
<rule action='drop' direction='inout' priority='1000'>
<all/>
</rule>
# iptables-save | grep vnet5 | tee inout
:FI-vnet5 - [0:0]
:FO-vnet5 - [0:0]
:HI-vnet5 - [0:0]
-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A FI-vnet5 -j DROP
-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT
-A FO-vnet5 -j DROP
-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN
-A HI-vnet5 -j DROP
-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5
-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5
-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5
We note that the
-A HI-vnet5 -j DROP
-A FI-vnet5 -j DROP
-A FO-vnet5 -j DROP
Is present without regards to the state of the direction attribute on the “default” drop rule.
If the direction is “in” then the “-A FI-vnet5 -j DROP” should not exists.
What does the source code say? I worry that either the docs are imprecise and this is desired, or there is a bug and I can end up like https://superuser.com/questions/1660080/in-libvirt-network-filters-nwfilter-what-does-the-all-protocol-type-indicat
As this is going to be a generic rule, applied many times – I would prefer not to have mac based source allow rules.
-Jason