I have the need to modify the behavior of the virtual network driver's behavior and how it deals with routed networks.  I'm running libvirt-0.8.3-2.fc14.

According to http://libvirt.org/firewall.html, the following is automatically added to the FORWARD chain of iptables when a network type of "routed" is started up:

"Allow inbound, but only to our expected subnet. Allow outbound, but only from our expected subnet. Allow traffic between guests. Deny all other inbound. Deny all other outbound. "

The part of this that I need to adjust is the fact that only IPs on my subnet will be allowed in and out.  I have IP addresses assigned to my guests that have static routes configured on the hypervisor to route to the local bridged interface.  I have to do this due to the way the surrounding routers and switches on the network are configured to handle public IP addresses and MAC address filtering.   Here is an example of my config where the public IP address on the guest machine is 1.1.2.2:

My network to do the routing mode:
<network>
  <name>local</name>
  <forward dev='eth0' mode='route'/>
  <bridge name='virbr_local' stp='on' delay='0' />
  <ip address='192.168.122.1' netmask='255.255.255.0'/>
</network>

The network portion of the domain:
    <interface type='network'>
      <mac address='xx:xx:xx:cc:xx:xx'/>
      <source network='local'/>
      <target dev='vnet0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </interface>

And finally the static route configured on the hypervisor to get the routed traffic from eth0 on the hypervisor down to the virbr_local device:
# ip route add 1.1.2.2 dev virbr_local

This will setup the iptables filters just as the documentation defines, but the problem is that all traffic from the guest will get REJECTED by iptables due to the source and destination IP not falling within 192.168.122.0/24.  

I've tried adding a custom filter into the network filter driver, but haven't had much luck. Here are some of the things that I've tried.

The custom network filter.   Notice that I'm using tcp, udp, and icmp specifically.  I'm doing this so it will force inclusion into the iptables filtering rules rather than ebtables.  
<filter name='my-static-ip' chain='root'>
  <rule action='accept' direction='out' priority='500'>
    <tcp srcipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='out' priority='500'>
    <udp srcipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='out' priority='500'>
    <icmp srcipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <tcp dstipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <udp dstipaddr='$MYIP'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <icmp dstipaddr='$MYIP'/>
  </rule>
</filter>

And the modifications made to the domain's network interface definition:
    <interface type='network'>
      <mac address='xx:xx:xx:xx'/>
      <source network='local'/>
      <target dev='vnet0'/>
      <filterref filter='my-static-ip'>
        <parameter name='MYIP' value=1.1.2.2'/>
      </filterref>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </interface>

With the exception of simply manually adding iptables rules in place after I start the network using virsh, does anyone know how to accomplish what I'm trying to do?

Ryan Sumner