On 02/14/2014 08:40 PM, h0rst wrote:
Hello!
Since i could not find any information on the internet about this subject, i'm going to try my luck on this list.
I'm trying to setup network-filter on a routed setup. I have a root-server at Hetzner, a german hosting provider. Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my virtual machines (KVM). My Server is running Ubuntu 12.04 with libvirt 0.9.8 . Since Hetzner does not allow any bridged traffic,
You *really* should upgrade to a newer libvirt.
Without using Network-Filters, this setup is running as expected. All traffic is correctly forwarded to my virtual machines connected to "route-br0" and the following iptables-rules are created in the FORWARD Chain:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) target prot opt in out source destination ACCEPT all -- eth0 route-br0 0.0.0.0/0 1.2.3.64/28 ACCEPT all -- route-br0 eth0 1.2.3.64/28 0.0.0.0/0 ACCEPT all -- route-br0 route-br0 0.0.0.0/0 0.0.0.0/0 REJECT all -- * route-br0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- route-br0 * 0.0.0.0/0
Those previous two rules are the ones added when you specify a forward dev. You don't need to do that - I would recommend removing the "dev='eth0'" from the <forward> element of the network, along with the "<interface dev='eth0'/>" subelement. This won't change operation at all, it will just make things slightly less confusing and misleading.
0.0.0.0/0 reject-with icmp-port-unreachable
When i try to setup a network-filter for a VM (a modified version of http://libvirt.org/formatnwfilter.html last example):
<filter name='server-x' chain='root'> <filterref filter='clean-traffic'/> <rule action='accept' direction='in' priority='500'> <all state='ESTABLISHED'/> </rule> <rule action='accept' direction='out' priority='500'> <all state='ESTABLISHED,RELATED'/> </rule> <rule action='accept' direction='in' priority='500'> <tcp state='NEW' dstportstart='22'/> </rule> <rule action='accept' direction='out' priority='500'> <all state='NEW'/> </rule> <rule action='drop' direction='inout' priority='500'> <all/> </rule> </filter>
and adding the filter to my interface-definition of a VM using the following syntax:
<filterref filter='server-x'> <parameter name='IP' value='1.2.3.70'/> </filterref>
additional iptable-rules are getting created. The problematic rule seems to be the following:
-A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX
which should trigger the following rules:
-A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT -A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT
But this actually never happens. The FO-vnetX Chain never sees any packets and my syslog says:
xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore
That somehow sounded familiar, so I looked it up in the git history and found this: http://libvirt.org/git/?p=libvirt.git;a=commit;h=65fb9d49cc9caae210977934b53... That patch was included in libvirt-1.0.2, just about a year ago.
Am i doing something wrong?
YOu need to upgrade your libvirt to at least 1.0.2 (preferably newer).