> -----Original Message----- > From: Jason Pyeron > Sent: Monday, October 11, 2021 8:49 AM > To: Kyle Marek; Michael Watson Jr > Cc: libvirt-users > > Watson / Kyle: > > (note I coped the list) > > While I read https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMisc , it is not > clear that it is intended to add the iptables action without regard to the rule’s > direction. > > Take the following rule scenarios: > > <rule action='accept' direction='in' priority='500' statematch='false'> > <tcp dstportstart='22'/> > </rule> > <rule action='drop' direction='in' priority='1000'> > <all/> > </rule> > > # iptables-save | grep vnet5 | tee in > :FI-vnet5 - [0:0] > :FO-vnet5 - [0:0] > :HI-vnet5 - [0:0] > -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN > -A FI-vnet5 -j DROP > -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT > -A FO-vnet5 -j DROP > -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN > -A HI-vnet5 -j DROP > -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5 > -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5 > -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT > -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5 > > <rule action='accept' direction='in' priority='500' statematch='false'> > <tcp dstportstart='22'/> > </rule> > <rule action='drop' direction='out' priority='1000'> > <all/> > </rule> > > # iptables-save | grep vnet5 | tee out > :FI-vnet5 - [0:0] > :FO-vnet5 - [0:0] > :HI-vnet5 - [0:0] > -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN > -A FI-vnet5 -j DROP > -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT > -A FO-vnet5 -j DROP > -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN > -A HI-vnet5 -j DROP > -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5 > -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5 > -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT > -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5 > > <rule action='accept' direction='in' priority='500' statematch='false'> > <tcp dstportstart='22'/> > </rule> > <rule action='drop' direction='inout' priority='1000'> > <all/> > </rule> > > # iptables-save | grep vnet5 | tee inout > :FI-vnet5 - [0:0] > :FO-vnet5 - [0:0] > :HI-vnet5 - [0:0] > -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN > -A FI-vnet5 -j DROP > -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT > -A FO-vnet5 -j DROP > -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN > -A HI-vnet5 -j DROP > -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5 > -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5 > -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT > -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5 > > We note that the > > -A HI-vnet5 -j DROP > -A FI-vnet5 -j DROP > -A FO-vnet5 -j DROP > > Is present without regards to the state of the direction attribute on the “default” drop > rule. > > If the direction is “in” then the “-A FI-vnet5 -j DROP” should not exists. > > What does the source code say? I worry that either the docs are imprecise and this is > desired, or there is a bug and I can end up like After looking at libvirt-4.5.0/src/nwfilter/nwfilter_ebiptables_driver.c's _iptablesCreateRuleInstance and iptablesCreateRuleInstanceStateCtrl, I saw the if statements like the below. 1598 if (directionIn && !inout) { 1599 if ((rule->flags & IPTABLES_STATE_FLAGS)) 1600 create = false; 1601 } 1629 if (!directionIn) { 1630 if ((rule->flags & IPTABLES_STATE_FLAGS)) 1631 create = false; 1632 } Is the only way to respect the direction is to have <all state='something...'/> ? If that is the case the docs, really need an update to note this. For others, my deny inbound, allow outbound was accomplished by: <rule action='accept' direction='in' priority='999'> <all state='ESTABLISHED,RELATED'/> </rule> <rule action='drop' direction='in' priority='1000'> <all state='NONE'/> </rule> -Jason
