I have the need to modify the behavior
of the virtual network driver's behavior and how it deals with routed networks.
I'm running libvirt-0.8.3-2.fc14.
According to http://libvirt.org/firewall.html,
the following is automatically added to the FORWARD chain of iptables when
a network type of "routed" is started up:
"Allow inbound, but only to our
expected subnet. Allow outbound, but only from our expected subnet. Allow
traffic between guests. Deny all other inbound. Deny all other outbound.
"
The part of this that I need to adjust
is the fact that only IPs on my subnet will be allowed in and out. I
have IP addresses assigned to my guests that have static routes configured
on the hypervisor to route to the local bridged interface. I have
to do this due to the way the surrounding routers and switches on the network
are configured to handle public IP addresses and MAC address filtering.
Here is an example of my config where the public IP address on the
guest machine is 1.1.2.2:
My network to do the routing mode:
<network>
<name>local</name>
<forward dev='eth0' mode='route'/>
<bridge name='virbr_local'
stp='on' delay='0' />
<ip address='192.168.122.1'
netmask='255.255.255.0'/>
</network>
The network portion of the domain:
<interface type='network'>
<mac address='xx:xx:xx:cc:xx:xx'/>
<source network='local'/>
<target dev='vnet0'/>
<address type='pci'
domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>
And finally the static route configured
on the hypervisor to get the routed traffic from eth0 on the hypervisor
down to the virbr_local device:
# ip route add 1.1.2.2 dev virbr_local
This will setup the iptables filters
just as the documentation defines, but the problem is that all traffic
from the guest will get REJECTED by iptables due to the source and destination
IP not falling within 192.168.122.0/24.
I've tried adding a custom filter into
the network filter driver, but haven't had much luck. Here are some of
the things that I've tried.
The custom network filter. Notice
that I'm using tcp, udp, and icmp specifically. I'm doing this so
it will force inclusion into the iptables filtering rules rather than ebtables.
<filter name='my-static-ip' chain='root'>
<rule action='' direction='out'
priority='500'>
<tcp srcipaddr='$MYIP'/>
</rule>
<rule action='' direction='out'
priority='500'>
<udp srcipaddr='$MYIP'/>
</rule>
<rule action='' direction='out'
priority='500'>
<icmp srcipaddr='$MYIP'/>
</rule>
<rule action='' direction='in'
priority='500'>
<tcp dstipaddr='$MYIP'/>
</rule>
<rule action='' direction='in'
priority='500'>
<udp dstipaddr='$MYIP'/>
</rule>
<rule action='' direction='in'
priority='500'>
<icmp dstipaddr='$MYIP'/>
</rule>
</filter>
And the modifications made to the domain's
network interface definition:
<interface type='network'>
<mac address='xx:xx:xx:xx'/>
<source network='local'/>
<target dev='vnet0'/>
<filterref filter='my-static-ip'>
<parameter
name='MYIP' value=1.1.2.2'/>
</filterref>
<address type='pci'
domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>
With the exception of simply manually
adding iptables rules in place after I start the network using virsh, does
anyone know how to accomplish what I'm trying to do?
Ryan Sumner
