Simple Networkfilter not working as expected.

Matthias Babisch <matthias.babisch@xxxxxxxx> · Thu, 06 Mar 2014 10:39:23 +0100



    Hello People.

      
      I have produced a very simple networkfilter that is not work as I
      would expect it. Perhaps one of you knows what I did wrong?

      
      I made this little filter:

      <filter name='my-test-no-ip-spoofing' priority='-700'>

        <rule action='' direction='out' priority='-999'>

          <all match='no' srcipaddr='$IP'/>

        </rule>

      </filter>

      
      I could attach it directly to a VM (and defined an IP-Adress in
      the network-interface there). Then it produced iptables rules that
      look like this:

      
      Chain FI-vnetnn (1 references)

       pkts bytes target     prot opt in     out    
      source               destination

          0     0 DROP       all  --  *      *      ! IP             
            0.0.0.0/0

      
      (This is the rule governing the input via the virtual device into
      the bridge, is as expected.)

      
      Chain HI-vnetnn (1 references)

       pkts bytes target     prot opt in     out    
      source               destination

          0     0 DROP       all  --  *      *      ! IP       
      0.0.0.0/0

      
      (This is the rule governing the input to the host, i would expect
      this too.)

      
      Chain FO-vnetnn (1 references)

       pkts bytes target     prot opt in     out    
      source               destination

         0    0 DROP       all  --  *      *       0.0.0.0/0           !
      IP

      
      This is the rule governing the output via the virtual-device from
      the bridge. (i.e. Packets coming from the network.)

      I specifically asked to filter outgoing traffic. This one I don't
      unterstand. Perhaps somebody knows a hint?

      
      On the other hand this filter works as expected, no rule on
      "FO-vnetnn":

      <filter name='my-no-mac-spoofing' priority='-800'>

        <rule action='' direction='out'>

          <all match='no' srcmacaddr='$MAC'/>

        </rule>

      </filter>

      
      I used libvirt with qemu on Ubuntu 13.10. (Version
      1.1.1-0ubuntu8.5)

      
      I am grateful for any helpful comments.

      
      Sincerely

    
    Matthias Babisch

      IT/Organisation

      
      b+m Informatik AG

      Rotenhofer Weg 20

      24109 Melsdorf

      
      T +49 4340/404-1444

      F +49 4340/404-111

      M +49 160/8866426

      matthias.babisch@xxxxxxxx

      
      Aktuelle Informationen unter www.bmiag.de

        Die b+m Informatik AG ist ein Unternehmen der Allgeier
          Gruppe

        
        Vorsitzender des Aufsichtsrates: Dr. Marcus Goedsche

        Vorstand: Dipl-Ing. Frank Mielke

        Amtsgericht Kiel, HRB 5526

       
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users