2:29 a.m.
Hello People.
We are currently exploring the possibility to use libvirt and kvm/quemu
for production purposes. The general stability seems good enough and the
performance is great. There are some issues we do not understand here
yet. For security reasons we are considering the extensive use of
Networkfilters for virtual machines. But we found some simple scheme for
a test-server not to be working as we expected. It might well be that we
misunderstand something here, so I am hoping someone could point out to
us, where either we or perhaps libvirt failed in this example.
We are using an ubuntu 13.04 Server running the provided
"1.0.2-0ubuntu11.13.04.2" libvirt-bin using amd64-architecture.
The type of VM should not be relevant for this problem. Its a
linux-based xmpp-Server which uses ucarp.
I reduced the used filter-file just so i could prove my point. It contains:
<filter name='linux-based-xmpp-server' chain='root'>
<uuid>fb539996-eed5-11e2-8bd3-00e081e0f040</uuid>
<rule action='accept' direction='in' priority='999'>
<tcp state='NEW' dstportstart='5222'/>
</rule>
<rule action='accept' direction='in' priority='999'>
<tcp state='NEW' dstportstart='5269'/>
</rule>
<rule action='accept' direction='inout' priority='999'>
<ip dstipaddr='224.0.0.18' proto='112'/>
</rule>
<rule action='reject' direction='inout' priority='999'>
<all/>
</rule>
</filter>
Practically it should allow TCP-traffic on Ports 5222,5269 incoming and
incoming and outgoing traffic for ip protocol 112 to destination ip
224.0.0.18 (VRRP used by ucarp). All other traffic should be rejected.
There is only one VM on the system and the VM has this ruleset attached.
Note: It is clear to me that this example won't work as areal world
example, because packets of the state ESTABLISHED,RELATED are not
allowed through the firewall. I removed these rules because they where
in a filter-file i referenced.
After reloading the libvirt-bin i do get part of the rules in would
expect in iptables:
Chain FI-vnet0 (1 references)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain FO-vnet0 (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:5222 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:5269 state NEW
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain HI-vnet0 (1 references)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
What is missing is any reference to the rule for ucarp (protocol 112).
Please note though that removing the protocol and just allowing any ip
traffic to 224.0.0.18 as a rule, does not appear in the iptables either.
Am i misunderstanding anything here? Is there a bug in libvirt? How do
you interpret this?
Do you know of any other way to achieve the simple ruleset intended?
I am hoping to get more information from this list. If you are replying,
please cc me (matthias.babisch(a)bmiag.de), because i receive this list as
a digest.
Sincerely
Matthias Babisch
IT/Organisation
*b+m Informatik AG*
Rotenhofer Weg 20
24109 Melsdorf
T +49 4340/404-1444
F +49 4340/404-111
M +49 160/8866426
matthias.babisch(a)bmiag.de
Aktuelle Informationen unter www.bmiag.de <%5C%22http://www.bmiag.de%5C%22>
Die b+m Informatik AG ist ein Unternehmen der Allgeier Gruppe
<%5C%22http://www.allgeier-holding.de%5C%22>
Vorsitzender des Aufsichtsrates: Dr. Marcus Goedsche
Vorstand: Dipl-Ing. Frank Mielke
Amtsgericht Kiel, HRB 5526