On 02/14/2014 08:40 PM, h0rst wrote: > Hello! > > Since i could not find any information on the internet about this subject, i'm going to try my luck on this list. > > I'm trying to setup network-filter on a routed setup. I have a root-server at Hetzner, a german hosting provider. > Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my virtual machines (KVM). > My Server is running Ubuntu 12.04 with libvirt 0.9.8 . Since Hetzner does not allow any bridged traffic, You *really* should upgrade to a newer libvirt. > Without using Network-Filters, this setup is running as expected. All traffic is correctly forwarded to my virtual > machines connected to "route-br0" and the following iptables-rules are created in the FORWARD Chain: > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > target prot opt in out source destination > ACCEPT all -- eth0 route-br0 0.0.0.0/0 1.2.3.64/28 > ACCEPT all -- route-br0 eth0 1.2.3.64/28 0.0.0.0/0 > ACCEPT all -- route-br0 route-br0 0.0.0.0/0 0.0.0.0/0 > REJECT all -- * route-br0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable > REJECT all -- route-br0 * 0.0.0.0/0 Those previous two rules are the ones added when you specify a forward dev. You don't need to do that - I would recommend removing the "dev='eth0'" from the <forward> element of the network, along with the "<interface dev='eth0'/>" subelement. This won't change operation at all, it will just make things slightly less confusing and misleading. > 0.0.0.0/0 reject-with icmp-port-unreachable > > When i try to setup a network-filter for a VM (a modified version of http://libvirt.org/formatnwfilter.html last example): > > <filter name='server-x' chain='root'> > <filterref filter='clean-traffic'/> > <rule action='accept' direction='in' priority='500'> > <all state='ESTABLISHED'/> > </rule> > <rule action='accept' direction='out' priority='500'> > <all state='ESTABLISHED,RELATED'/> > </rule> > <rule action='accept' direction='in' priority='500'> > <tcp state='NEW' dstportstart='22'/> > </rule> > <rule action='accept' direction='out' priority='500'> > <all state='NEW'/> > </rule> > <rule action='drop' direction='inout' priority='500'> > <all/> > </rule> > </filter> > > and adding the filter to my interface-definition of a VM using the following syntax: > > <filterref filter='server-x'> > <parameter name='IP' value='1.2.3.70'/> > </filterref> > > additional iptable-rules are getting created. The problematic rule seems to be the following: > > -A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX > > which should trigger the following rules: > > -A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT > -A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT > > But this actually never happens. The FO-vnetX Chain never sees any packets and my syslog says: > > xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore That somehow sounded familiar, so I looked it up in the git history and found this: http://libvirt.org/git/?p=libvirt.git;a=commit;h=65fb9d49cc9caae210977934b53d87e56429407b That patch was included in libvirt-1.0.2, just about a year ago. > > Am i doing something wrong? YOu need to upgrade your libvirt to at least 1.0.2 (preferably newer). _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
