Hello People.
I have produced a very simple networkfilter that is not work as I
would expect it. Perhaps one of you knows what I did wrong?
I made this little filter:
<filter name='my-test-no-ip-spoofing' priority='-700'>
<rule action='drop' direction='out' priority='-999'>
<all match='no' srcipaddr='$IP'/>
</rule>
</filter>
I could attach it directly to a VM (and defined an IP-Adress in
the network-interface there). Then it produced iptables rules that
look like this:
Chain FI-vnetnn (1 references)
pkts bytes target prot opt in out
source destination
0 0 DROP all -- * * ! IP
0.0.0.0/0
(This is the rule governing the input via the virtual device into
the bridge, is as expected.)
Chain HI-vnetnn (1 references)
pkts bytes target prot opt in out
source destination
0 0 DROP all -- * * ! IP
0.0.0.0/0
(This is the rule governing the input to the host, i would expect
this too.)
Chain FO-vnetnn (1 references)
pkts bytes target prot opt in out
source destination
0 0 DROP all -- * * 0.0.0.0/0 !
IP
This is the rule governing the output via the virtual-device from
the bridge. (i.e. Packets coming from the network.)
I specifically asked to filter outgoing traffic. This one I don't
unterstand. Perhaps somebody knows a hint?
On the other hand this filter works as expected, no rule on
"FO-vnetnn":
<filter name='my-no-mac-spoofing' priority='-800'>
<rule action='drop' direction='out'>
<all match='no' srcmacaddr='$MAC'/>
</rule>
</filter>
I used libvirt with qemu on Ubuntu 13.10. (Version
1.1.1-0ubuntu8.5)
I am grateful for any helpful comments.
Sincerely
Matthias Babisch
IT/Organisation
b+m Informatik AG
Rotenhofer Weg 20
24109 Melsdorf
T +49 4340/404-1444
F +49 4340/404-111
M +49 160/8866426
matthias.babisch@bmiag.de
Aktuelle Informationen unter www.bmiag.de
Die b+m Informatik AG ist ein Unternehmen der Allgeier
Gruppe
Vorsitzender des Aufsichtsrates: Dr. Marcus Goedsche
Vorstand: Dipl-Ing. Frank Mielke
Amtsgericht Kiel, HRB 5526