Hello People.

We are currently exploring the possibility to use libvirt and kvm/quemu for production purposes. The general stability seems good enough and the performance is great. There are some issues we do not understand here yet. For security reasons we are considering the extensive use of Networkfilters for virtual machines. But we found some simple scheme for a test-server not to be working as we expected. It might well be that we misunderstand something here, so I am hoping someone could point out to us, where either we or perhaps libvirt failed in this example.

We are using an ubuntu 13.04 Server running the provided "1.0.2-0ubuntu11.13.04.2" libvirt-bin using amd64-architecture.

The type of VM should not be relevant for this problem. Its a linux-based xmpp-Server which uses ucarp.
I reduced the used filter-file just so i could prove my point. It contains:
<filter name='linux-based-xmpp-server' chain='root'>
  <uuid>fb539996-eed5-11e2-8bd3-00e081e0f040</uuid>
  <rule action='accept' direction='in' priority='999'>
    <tcp state='NEW' dstportstart='5222'/>
  </rule>
  <rule action='accept' direction='in' priority='999'>
    <tcp state='NEW' dstportstart='5269'/>
  </rule>
  <rule action='accept' direction='inout' priority='999'>
    <ip dstipaddr='224.0.0.18' proto='112'/>
  </rule>
  <rule action='reject' direction='inout' priority='999'>
    <all/>
  </rule>
</filter>

Practically it should allow TCP-traffic on Ports 5222,5269 incoming and incoming and outgoing traffic for ip protocol 112 to destination ip 224.0.0.18 (VRRP used by ucarp). All other traffic should be rejected. There is only one VM on the system and the VM has this ruleset attached.

Note: It is clear to me that this example won't work as  areal world example, because packets of the state ESTABLISHED,RELATED are not allowed through the firewall. I removed these rules because they where in a filter-file i referenced.

After reloading the libvirt-bin i do get part of the rules in would expect in iptables:

Chain FI-vnet0 (1 references)
target     prot opt source               destination        
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FO-vnet0 (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5222 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5269 state NEW
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain HI-vnet0 (1 references)
target     prot opt source               destination        
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

What is missing is any reference to the rule for ucarp (protocol 112).

Please note though that removing the protocol and just allowing any ip traffic to 224.0.0.18 as a rule, does not appear in the iptables either.

Am i misunderstanding anything here? Is there a bug in libvirt? How do you interpret this?
Do you know of any other way to achieve the simple ruleset intended?

I am hoping to get more information from this list. If you are replying, please cc me (matthias.babisch@bmiag.de), because i receive this list as a digest.

Sincerely

Matthias Babisch
IT/Organisation

b+m Informatik AG
Rotenhofer Weg 20
24109 Melsdorf

T +49 4340/404-1444
F +49 4340/404-111
M +49 160/8866426
matthias.babisch@bmiag.de

Aktuelle Informationen unter www.bmiag.de
Die b+m Informatik AG ist ein Unternehmen der Allgeier Gruppe

Vorsitzender des Aufsichtsrates: Dr. Marcus Goedsche
Vorstand: Dipl-Ing. Frank Mielke
Amtsgericht Kiel, HRB 5526