Hi,
I contact you as i have difficulties to use nwfilter with KVM host.
I want to implemente flow filtering between my Linux guests.
I created the following filter :
cat admin-dmz-internet.xml
<filter name='admin-dmz-internet'>
<!-- this zone is an SSH ingoing only zone -->
<!-- but SSH can go to an other SSH proxy -->
<filterref filter='clean-traffic' />
<!-- enable SSH (tcp port 22) to go inside the zone -->
<rule action='accept' direction='in'>
<tcp dstportstart='22'/>
</rule>
<!-- accept the SSH to the other out -->
<rule action='accept' direction='out'>
<tcp dstipaddr='192.168.150.50' dstportstart='22'
/>
</rule>
<!-- deny explicitly all other flows to go outside -->
<rule action='drop' direction='inout'>
<all/>
</rule>
</filter>
then i define it :
irsh nwfilter-define admin-dmz-internet.xml
Filtre réseau admin-dmz-internet défini depuis admin-dmz-internet.xml
The filters are defined :
virsh nwfilter-list
UUID Nom
------------------------------------------------------------------
4ae1f709-4767-4148-9b02-9065da3d8d8a admin-dmz-internet
7d32639b-5e6e-4dfe-b07b-e798bbd89adb allow-arp
I then assigned the filter to mv VM :
<interface type='network'>
<mac address='52:54:00:36:7d:99'/>
<source network='adm-from-net'/>
<ip address='192.168.130.229' family='ipv4'/>
<model type='virtio'/>
<filterref filter='admin-dmz-internet'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x03'
function='0x0'/>
</interface>
and restart libvirtd and start the VM
systemctl restart libvirtd
virsh start externeSSH
Howerver the filter don"t work, i can do allow flow that i want.... :(
To debug i looked at the iptables rules. We see that no packet go to the
rules for the filter :
Chain FI-vnet0 (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY
0 0 RETURN tcp -- * * 0.0.0.0/0
192.168.150.50 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FO-vnet0 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 ACCEPT tcp -- * * 192.168.150.50
0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain HI-vnet0 (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY
0 0 RETURN tcp -- * * 0.0.0.0/0
192.168.150.50 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain libvirt-host-in (1 references)
pkts bytes target prot opt in out source
destination
0 0 HI-vnet0 all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Chain libvirt-in (1 references)
pkts bytes target prot opt in out source
destination
0 0 FI-vnet0 all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Chain libvirt-in-post (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vnet0
Chain libvirt-out (1 references)
pkts bytes target prot opt in out source
destination
0 0 FO-vnet0 all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0
--physdev-is-bridged
How can i make the rules work?
I am under Centos 7 and the libvirtd is as is :
rpm -qa | grep libvirt
libvirt-daemon-kvm-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-config-network-1.2.17-13.el7_2.3.x86_64
libvirt-python-1.2.17-2.el7.x86_64
libvirt-client-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-network-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-secret-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-nodedev-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-qemu-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-storage-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-config-nwfilter-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-interface-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-lxc-1.2.17-13.el7_2.3.x86_64
libvirt-daemon-driver-nwfilter-1.2.17-13.el7_2.3.x86_64
libvirt-1.2.17-13.el7_2.3.x86_64
Thanks in advance for your help.
Regards,
JF
Show replies by thread