Hello!
Since i could not find any information on the internet about this subject, i'm
going to try my luck on this list.
I'm trying to setup network-filter on a routed setup. I have a root-server at
Hetzner, a german hosting provider.
Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs
for my virtual machines (KVM).
My Server is running Ubuntu 12.04 with libvirt 0.9.8 . Since Hetzner does not
allow any bridged traffic, i had
to setup a routed network. Currently my (via libvirt) defined network looks
like this:
(lets assume my subnet is 1.2.3.64/28):
<network>
<name>hetzner-subnet-v4</name>
<forward dev='eth0' mode='route'>
<interface dev='eth0'/>
</forward>
<bridge name='route-br0' stp='off' delay='0' />
<mac address='52:54:00:F0:D0:AA'/>
<ip address='1.2.3.65' netmask='255.255.255.240'></ip>
</network>
The network definition for all running VMs looks like this:
<interface type='network'>
<mac address='52:54:00:00:00:##'/>
<source network='hetzner-subnet-v4'/>
</interface>
Without using Network-Filters, this setup is running as expected. All traffic
is correctly forwarded to my virtual
machines connected to "route-br0" and the following iptables-rules are created
in the FORWARD Chain:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- eth0 route-br0 0.0.0.0/0 1.2.3.64/28
ACCEPT all -- route-br0 eth0 1.2.3.64/28 0.0.0.0/0
ACCEPT all -- route-br0 route-br0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * route-br0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- route-br0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
When i try to setup a network-filter for a VM (a modified version of
http://libvirt.org/formatnwfilter.html last example):
<filter name='server-x' chain='root'>
<filterref filter='clean-traffic'/>
<rule action='accept' direction='in' priority='500'>
<all state='ESTABLISHED'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='ESTABLISHED,RELATED'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<tcp state='NEW' dstportstart='22'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='NEW'/>
</rule>
<rule action='drop' direction='inout' priority='500'>
<all/>
</rule>
</filter>
and adding the filter to my interface-definition of a VM using the following
syntax:
<filterref filter='server-x'>
<parameter name='IP' value='1.2.3.70'/>
</filterref>
additional iptable-rules are getting created. The problematic rule seems to be
the following:
-A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX
which should trigger the following rules:
-A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT
-A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT
But this actually never happens. The FO-vnetX Chain never sees any packets and
my syslog says:
xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains
for non-bridged traffic is not supported anymore
Am i doing something wrong? I hope i did not write too much useless stuff here.
I'm tried to figure it all out by
myself, but im currently stuck. Lets hope some wise guys can help me out here.
Maybe there is some documentation i have missed?
Thanks!
kind regards,
Sebastian
_______________________________________________
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
