Re: [libvirt-users] Network filters with clean-traffic not working on Debian Stretch
On 12/29/18 5:51 AM, fatal wrote:
Dear Yalang,
that did the trick. If I look in the NAT table of the bridge I can see
the generated rules. Probably wouldn't have though about that ever.
Yes, it is fairly strange that rules to filter traffic are in a table
called "nat". My understanding is that it was implemented this way in
order to avoid duplicating all the rules in both the input and forward
chains (or something like that).
Thanks a lot!
Best
Sam
On 29.12.18 06:51, Yalan Zhang wrote:
> Hi Sam,
>
> You can find the rules by below command, and it looks as below:
> # ebtables -t nat --list
> Bridge table: nat
>
> Bridge chain: PREROUTING, entries: 2, policy: ACCEPT
> -j PREROUTING_direct
> -i vnet0 -j libvirt-I-vnet0
>
> Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
> -j OUTPUT_direct
>
> Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT
> -j POSTROUTING_direct
> -o vnet0 -j libvirt-O-vnet0
>
> Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN
>
> Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN
>
> Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN
>
> Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT
> -j I-vnet0-mac
> -p IPv4 -j I-vnet0-ipv4-ip
> -p IPv4 -j ACCEPT
> -p ARP -j I-vnet0-arp-mac
> -p ARP -j I-vnet0-arp-ip
> -p ARP -j ACCEPT
> -p 0x8035 -j I-vnet0-rarp
> -p 0x835 -j ACCEPT
> -j DROP
>
> Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT
> -p IPv4 -j O-vnet0-ipv4
> -p ARP -j ACCEPT
> -p 0x8035 -j O-vnet0-rarp
> -j DROP
>
> Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT
> -s 52:54:0:3a:40:b7 -j RETURN
> -j DROP
>
> Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT
> -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
> -p IPv4 --ip-src 172.16.1.2 -j RETURN
> -j DROP
>
> Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT
> -j ACCEPT
>
> Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT
> -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN
> -j DROP
>
> Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT
> -p ARP --arp-ip-src 172.16.1.2 -j RETURN
> -j DROP
>
> Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
> -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse
> --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7
> --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT
> -j DROP
>
> Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
> -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
> --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst
> 52:54:0:3a:40:b7 -j ACCEPT
> -j DROP
>
> For interface set as:
> <interface type='bridge'>
> <mac address='52:54:00:3a:40:b7'/>
> <source bridge='br0'/>
> <target dev='vnet0'/>
> <model type='rtl8139'/>
> <filterref filter='clean-traffic'>
> <parameter name='IP' value='172.16.1.2'/>
> </filterref>
> <alias name='net0'/>
> <address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
> function='0x0'/>
> </interface>
>
>
>
> -------
> Best Regards,
> Yalan Zhang
> IRC: yalzhang
_______________________________________________
libvirt-users mailing list
libvirt-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users