Watson / Kyle:

 

(note I coped the list)

 

While I read https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMisc , it is not clear that it is intended to add the iptables action without regard to the rule’s direction.

 

Take the following rule scenarios:

 

  <rule action='accept' direction='in' priority='500' statematch='false'>

    <tcp dstportstart='22'/>

  </rule>

  <rule action='drop' direction='in' priority='1000'>

    <all/>

  </rule>

 

# iptables-save  | grep vnet5 | tee in

:FI-vnet5 - [0:0]

:FO-vnet5 - [0:0]

:HI-vnet5 - [0:0]

-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN

-A FI-vnet5 -j DROP

-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT

-A FO-vnet5 -j DROP

-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN

-A HI-vnet5 -j DROP

-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5

-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5

-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT

-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5

 

  <rule action='accept' direction='in' priority='500' statematch='false'>

    <tcp dstportstart='22'/>

  </rule>

  <rule action='drop' direction='out' priority='1000'>

    <all/>

  </rule>

 

# iptables-save  | grep vnet5 | tee out

:FI-vnet5 - [0:0]

:FO-vnet5 - [0:0]

:HI-vnet5 - [0:0]

-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN

-A FI-vnet5 -j DROP

-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT

-A FO-vnet5 -j DROP

-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN

-A HI-vnet5 -j DROP

-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5

-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5

-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT

-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5

 

  <rule action='accept' direction='in' priority='500' statematch='false'>

    <tcp dstportstart='22'/>

  </rule>

  <rule action='drop' direction='inout' priority='1000'>

    <all/>

  </rule>

 

# iptables-save  | grep vnet5 | tee inout

:FI-vnet5 - [0:0]

:FO-vnet5 - [0:0]

:HI-vnet5 - [0:0]

-A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN

-A FI-vnet5 -j DROP

-A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT

-A FO-vnet5 -j DROP

-A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN

-A HI-vnet5 -j DROP

-A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5

-A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5

-A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT

-A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5

 

We note that the

 

-A HI-vnet5 -j DROP

-A FI-vnet5 -j DROP

-A FO-vnet5 -j DROP

 

Is present without regards to the state of the direction attribute on the “default” drop rule.

 

If the direction is “in” then the “-A FI-vnet5 -j DROP” should not exists.

 

What does the source code say? I worry that either the docs are imprecise and this is desired, or there is a bug and I can end up like https://superuser.com/questions/1660080/in-libvirt-network-filters-nwfilter-what-does-the-all-protocol-type-indicat

 

As this is going to be a generic rule, applied many times – I would prefer not to have mac based source allow rules.

 

-Jason