[libvirt-users] Network filters with clean-traffic not working on Debian Stretch

Hello, I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac address='52:54:00:0c:14:07'/> <source bridge='br0'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.10.1.2'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <interface type='bridge'> <mac address='52:54:00:0c:24:17'/> <source bridge='br1'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='172.16.1.2'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> [...] I restarted the VM from within the VM, did a "virsh reboot <VM>", restarted libvirtd and even did a reboot of the host - just to be sure. Unfortunately neither "iptables -L" nor "ebtables --list" show any entries added by libvirt. Also omitting the "parameter name='IP'" part didn't change anything. There are no error messages in /var/log/syslog nor in /var/log/libvirt/qemu/<VM> My main references were: https://libvirt.org/firewall.html https://libvirt.org/formatnwfilter.html https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-servi... Any help really would be much appreciated! Thanks a lot! Sam

Hi Sam, You can find the rules by below command, and it looks as below: # ebtables -t nat --list Bridge table: nat Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0 Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0 Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT -j I-vnet0-mac -p IPv4 -j I-vnet0-ipv4-ip -p IPv4 -j ACCEPT -p ARP -j I-vnet0-arp-mac -p ARP -j I-vnet0-arp-ip -p ARP -j ACCEPT -p 0x8035 -j I-vnet0-rarp -p 0x835 -j ACCEPT -j DROP Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT -p IPv4 -j O-vnet0-ipv4 -p ARP -j ACCEPT -p 0x8035 -j O-vnet0-rarp -j DROP Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT -s 52:54:0:3a:40:b7 -j RETURN -j DROP Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN -p IPv4 --ip-src 172.16.1.2 -j RETURN -j DROP Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT -j ACCEPT Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN -j DROP Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT -p ARP --arp-ip-src 172.16.1.2 -j RETURN -j DROP Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP For interface set as: <interface type='bridge'> <mac address='52:54:00:3a:40:b7'/> <source bridge='br0'/> <target dev='vnet0'/> <model type='rtl8139'/> <filterref filter='clean-traffic'> <parameter name='IP' value='172.16.1.2'/> </filterref> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> ------- Best Regards, Yalan Zhang IRC: yalzhang On Wed, Dec 26, 2018 at 12:28 AM fatal <fatal@mailbox.org> wrote:
Hello,
I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM.
My config snippet looks as follows:
sudo virsh edit <VM>
[...] <interface type='bridge'> <mac address='52:54:00:0c:14:07'/> <source bridge='br0'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.10.1.2'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <interface type='bridge'> <mac address='52:54:00:0c:24:17'/> <source bridge='br1'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='172.16.1.2'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> [...]
I restarted the VM from within the VM, did a "virsh reboot <VM>", restarted libvirtd and even did a reboot of the host - just to be sure. Unfortunately neither "iptables -L" nor "ebtables --list" show any entries added by libvirt. Also omitting the "parameter name='IP'" part didn't change anything.
There are no error messages in /var/log/syslog nor in /var/log/libvirt/qemu/<VM>
My main references were:
https://libvirt.org/firewall.html https://libvirt.org/formatnwfilter.html
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-servi...
Any help really would be much appreciated!
Thanks a lot!
Sam
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users

Dear Yalang, that did the trick. If I look in the NAT table of the bridge I can see the generated rules. Probably wouldn't have though about that ever. Thanks a lot! Best Sam On 29.12.18 06:51, Yalan Zhang wrote:
Hi Sam,
You can find the rules by below command, and it looks as below: # ebtables -t nat --list Bridge table: nat
Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0
Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct
Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0
Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN
Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN
Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN
Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT -j I-vnet0-mac -p IPv4 -j I-vnet0-ipv4-ip -p IPv4 -j ACCEPT -p ARP -j I-vnet0-arp-mac -p ARP -j I-vnet0-arp-ip -p ARP -j ACCEPT -p 0x8035 -j I-vnet0-rarp -p 0x835 -j ACCEPT -j DROP
Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT -p IPv4 -j O-vnet0-ipv4 -p ARP -j ACCEPT -p 0x8035 -j O-vnet0-rarp -j DROP
Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT -s 52:54:0:3a:40:b7 -j RETURN -j DROP
Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN -p IPv4 --ip-src 172.16.1.2 -j RETURN -j DROP
Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT -j ACCEPT
Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN -j DROP
Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT -p ARP --arp-ip-src 172.16.1.2 -j RETURN -j DROP
Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP
Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP
For interface set as: <interface type='bridge'> <mac address='52:54:00:3a:40:b7'/> <source bridge='br0'/> <target dev='vnet0'/> <model type='rtl8139'/> <filterref filter='clean-traffic'> <parameter name='IP' value='172.16.1.2'/> </filterref> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface>
------- Best Regards, Yalan Zhang IRC: yalzhang

On 12/29/18 5:51 AM, fatal wrote:
Dear Yalang,
that did the trick. If I look in the NAT table of the bridge I can see the generated rules. Probably wouldn't have though about that ever.
Yes, it is fairly strange that rules to filter traffic are in a table called "nat". My understanding is that it was implemented this way in order to avoid duplicating all the rules in both the input and forward chains (or something like that).
Thanks a lot!
Best
Sam
On 29.12.18 06:51, Yalan Zhang wrote:
Hi Sam,
You can find the rules by below command, and it looks as below: # ebtables -t nat --list Bridge table: nat
Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0
Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct
Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0
Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN
Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN
Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN
Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT -j I-vnet0-mac -p IPv4 -j I-vnet0-ipv4-ip -p IPv4 -j ACCEPT -p ARP -j I-vnet0-arp-mac -p ARP -j I-vnet0-arp-ip -p ARP -j ACCEPT -p 0x8035 -j I-vnet0-rarp -p 0x835 -j ACCEPT -j DROP
Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT -p IPv4 -j O-vnet0-ipv4 -p ARP -j ACCEPT -p 0x8035 -j O-vnet0-rarp -j DROP
Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT -s 52:54:0:3a:40:b7 -j RETURN -j DROP
Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN -p IPv4 --ip-src 172.16.1.2 -j RETURN -j DROP
Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT -j ACCEPT
Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT -p ARP --arp-mac-src 52:54:0:3a:40:b7 -j RETURN -j DROP
Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT -p ARP --arp-ip-src 172.16.1.2 -j RETURN -j DROP
Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 52:54:0:3a:40:b7 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP
Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:3a:40:b7 --arp-mac-dst 52:54:0:3a:40:b7 -j ACCEPT -j DROP
For interface set as: <interface type='bridge'> <mac address='52:54:00:3a:40:b7'/> <source bridge='br0'/> <target dev='vnet0'/> <model type='rtl8139'/> <filterref filter='clean-traffic'> <parameter name='IP' value='172.16.1.2'/> </filterref> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface>
------- Best Regards, Yalan Zhang IRC: yalzhang
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
participants (3)
-
fatal
-
Laine Stump
-
Yalan Zhang