Re: [libvirt-users] Network filters with clean-traffic not working on Debian Stretch

Dear Yalang, that did the trick. If I look in the NAT table of the bridge I can see the generated rules. Probably wouldn't have though about that ever. Thanks a lot! Best Sam On 29.12.18 06:51, Yalan Zhang wrote:

Hi Sam,

You can find the rules by below command, and it looks as below: # ebtables -t nat --list Bridge table: nat

Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct

Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0

Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN

Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN

Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN

Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT -j I-vnet0-mac -p IPv4 -j I-vnet0-ipv4-ip -p IPv4 -j ACCEPT -p ARP -j I-vnet0-arp-mac -p ARP -j I-vnet0-arp-ip -p ARP -j ACCEPT -p 0x8035 -j I-vnet0-rarp -p 0x835 -j ACCEPT -j DROP

Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT -p IPv4 -j O-vnet0-ipv4 -p ARP -j ACCEPT -p 0x8035 -j O-vnet0-rarp -j DROP

Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT -s 52:54:0:3a:40:b7 -j RETURN -j DROP

Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN -p IPv4 --ip-src 172.16.1.2 -j RETURN -j DROP

Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT -j ACCEPT

Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN -j DROP

Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT -p ARP --arp-ip-src 172.16.1.2 -j RETURN -j DROP

Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP

Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP

For interface set as: <interface type='bridge'> <mac address='52:54:00:3a:40:b7'/> <source bridge='br0'/> <target dev='vnet0'/> <model type='rtl8139'/> <filterref filter='clean-traffic'> <parameter name='IP' value='172.16.1.2'/> </filterref> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface>

------- Best Regards, Yalan Zhang IRC: yalzhang