Hi,

I contact you as i have difficulties to use nwfilter with KVM host.

I want to implemente flow filtering between my Linux guests.

I created the following filter :

cat admin-dmz-internet.xml
<filter name='admin-dmz-internet'>
        <!-- this zone is an SSH ingoing only zone -->
        <!-- but SSH can go to an other SSH proxy -->
        <filterref filter='clean-traffic' />

        <!-- enable SSH (tcp port 22) to go inside the zone -->
        <rule action='accept' direction='in'>
                <tcp dstportstart='22'/>
        </rule>


        <!-- accept the SSH to the other out -->
        <rule action='accept' direction='out'>
                <tcp dstipaddr='192.168.150.50' dstportstart='22' />
        </rule>

        <!-- deny explicitly all other flows to go outside -->
        <rule action='drop' direction='inout'>
                <all/>
        </rule>

</filter>


then i define it :
irsh nwfilter-define admin-dmz-internet.xml
Filtre réseau admin-dmz-internet défini depuis admin-dmz-internet.xml


The filters are defined :

virsh nwfilter-list
 UUID                                  Nom                 
------------------------------------------------------------------
 4ae1f709-4767-4148-9b02-9065da3d8d8a  admin-dmz-internet 
 7d32639b-5e6e-4dfe-b07b-e798bbd89adb  allow-arp   


I then assigned the filter to mv VM :

<interface type='network'>
      <mac address='52:54:00:36:7d:99'/>
      <source network='adm-from-net'/>
      <ip address='192.168.130.229' family='ipv4'/>
      <model type='virtio'/>
      <filterref filter='admin-dmz-internet'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>


and restart libvirtd and start the VM
systemctl restart libvirtd
virsh start externeSSH


Howerver the filter don"t work, i can do allow flow that i want.... :(

To debug i looked at the iptables rules. We see that no packet go to the rules for the filter :

Chain FI-vnet0 (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 ctstate ESTABLISHED ctdir REPLY
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            192.168.150.50       tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FO-vnet0 (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
    0     0 ACCEPT     tcp  --  *      *       192.168.150.50       0.0.0.0/0            tcp spt:22 ctstate ESTABLISHED ctdir REPLY
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain HI-vnet0 (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 ctstate ESTABLISHED ctdir REPLY
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            192.168.150.50       tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain libvirt-host-in (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 HI-vnet0   all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  PHYSDEV match --physdev-in vnet0

Chain libvirt-in (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 FI-vnet0   all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  PHYSDEV match --physdev-in vnet0

Chain libvirt-in-post (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in vnet0

Chain libvirt-out (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 FO-vnet0   all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  PHYSDEV match --physdev-out vnet0 --physdev-is-bridged


How can i make the rules work?

I am under Centos 7 and the libvirtd is as is :

rpm -qa | grep libvirt
libvirt-daemon-kvm-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-config-network-1.2.17-13.el7_2.3.x86_64
libvirt-python-1.2.17-2.el7.x86_64
libvirt-client-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-network-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-secret-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-nodedev-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-qemu-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-storage-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-config-nwfilter-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-interface-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-lxc-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-nwfilter-1.2.17-13.el7_2.3.x86_64
libvirt-1.2.17-13.el7_2.3.x86_64


Thanks in advance for your help.

Regards,

JF