Hi, all!
For next nwfilter:
<filter name='test' chain='root'>
<rule action="" direction='out' priority='1'>
<tcp dstportstart='22' dstportend='22'/>
</rule>
</filter>
I got next result:
-A FI-vmec437726363e0 -p tcp -m tcp --sport 22 -j RETURN
-A FO-vmec437726363e0 -p tcp -m tcp --dport 22 -j RETURN
-A HI-vmec437726363e0 -p tcp -m tcp --sport 22 -j RETURN
-A libvirt-host-in -m physdev --physdev-in vmec437726363e0 -g HI-vmec437726363e0
-A libvirt-in -m physdev --physdev-in vmec437726363e0 -g FI-vmec437726363e0
-A libvirt-in-post -m physdev --physdev-in vmec437726363e0 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vmec437726363e0 --physdev-is-bridged -g FO-vmec437726363e0
It is not clear to me why the rule is added to FI-* chains. I guess this filter
is supposed to filter only outgoing traffic.
For next nwfilter:
<filter name='test' chain='root'>
<rule action="" direction='out' priority='1'>
<tcp dstportstart='22' dstportend='22'/>
</rule>
</filter>
I got next result:
-A FI-vmec437726363e0 -p tcp -m tcp --sport 22 -j RETURN
-A FO-vmec437726363e0 -p tcp -m tcp --dport 22 -j RETURN
-A HI-vmec437726363e0 -p tcp -m tcp --sport 22 -j RETURN
-A libvirt-host-in -m physdev --physdev-in vmec437726363e0 -g HI-vmec437726363e0
-A libvirt-in -m physdev --physdev-in vmec437726363e0 -g FI-vmec437726363e0
-A libvirt-in-post -m physdev --physdev-in vmec437726363e0 -j ACCEPT
-A libvirt-out -m physdev --physdev-out vmec437726363e0 --physdev-is-bridged -g FO-vmec437726363e0
It is not clear to me why the rule is added to FI-* chains. I guess this filter
is supposed to filter only outgoing traffic.
I tested with libvirt-5.6.0 but AFAIU the behaviour in upstream is the same. Also looks
like this behaviour exists for a long time so I doubted it is a bug.
Nikolay
