4:03 a.m.
On 02/14/2014 08:40 PM, h0rst wrote:
Hello!
Since i could not find any information on the internet about this subject, i'm going
to try my luck on this list.
I'm trying to setup network-filter on a routed setup. I have a root-server at
Hetzner, a german hosting provider.
Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my
virtual machines (KVM).
My Server is running Ubuntu 12.04 with libvirt 0.9.8 . Since Hetzner does not allow any
bridged traffic,
You *really* should upgrade to a newer libvirt.
Without using Network-Filters, this setup is running as expected. All
traffic is correctly forwarded to my virtual
machines connected to "route-br0" and the following iptables-rules are created
in the FORWARD Chain:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- eth0 route-br0 0.0.0.0/0 1.2.3.64/28
ACCEPT all -- route-br0 eth0 1.2.3.64/28 0.0.0.0/0
ACCEPT all -- route-br0 route-br0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * route-br0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- route-br0 * 0.0.0.0/0
Those previous two rules are the ones added when you specify a forward
dev. You don't need to do that - I would recommend removing the
"dev='eth0'" from the <forward> element of the network, along with
the
"<interface dev='eth0'/>" subelement. This won't change
operation at
all, it will just make things slightly less confusing and misleading.
0.0.0.0/0 reject-with icmp-port-unreachable
When i try to setup a network-filter for a VM (a modified version of
http://libvirt.org/formatnwfilter.html last example):
<filter name='server-x' chain='root'>
<filterref filter='clean-traffic'/>
<rule action='accept' direction='in' priority='500'>
<all state='ESTABLISHED'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='ESTABLISHED,RELATED'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<tcp state='NEW' dstportstart='22'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='NEW'/>
</rule>
<rule action='drop' direction='inout' priority='500'>
<all/>
</rule>
</filter>
and adding the filter to my interface-definition of a VM using the following syntax:
<filterref filter='server-x'>
<parameter name='IP' value='1.2.3.70'/>
</filterref>
additional iptable-rules are getting created. The problematic rule seems to be the
following:
-A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX
which should trigger the following rules:
-A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT
-A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT
But this actually never happens. The FO-vnetX Chain never sees any packets and my syslog
says:
xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for
non-bridged traffic is not supported anymore
That somehow sounded familiar, so I looked it up in the git history and
found this:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=65fb9d49cc9caae210977934...
That patch was included in libvirt-1.0.2, just about a year ago.
Am i doing something wrong?
YOu need to upgrade your libvirt to at least 1.0.2 (preferably newer).