Watson / Kyle: (note I coped the list) While I read https://libvirt.org/formatnwfilter.html#nwfelemsRulesProtoMisc , it is not clear that it is intended to add the iptables action without regard to the rule’s direction. Take the following rule scenarios: <rule action='' direction='in' priority='500' statematch='false'> <tcp dstportstart='22'/> </rule> <rule action='' direction='in' priority='1000'> <all/> </rule> # iptables-save | grep vnet5 | tee in :FI-vnet5 - [0:0] :FO-vnet5 - [0:0] :HI-vnet5 - [0:0] -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN -A FI-vnet5 -j DROP -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT -A FO-vnet5 -j DROP -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN -A HI-vnet5 -j DROP -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5 -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5 -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5 <rule action='' direction='in' priority='500' statematch='false'> <tcp dstportstart='22'/> </rule> <rule action='' direction='out' priority='1000'> <all/> </rule> # iptables-save | grep vnet5 | tee out :FI-vnet5 - [0:0] :FO-vnet5 - [0:0] :HI-vnet5 - [0:0] -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN -A FI-vnet5 -j DROP -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT -A FO-vnet5 -j DROP -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN -A HI-vnet5 -j DROP -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5 -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5 -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5 <rule action='' direction='in' priority='500' statematch='false'> <tcp dstportstart='22'/> </rule> <rule action='' direction='inout' priority='1000'> <all/> </rule> # iptables-save | grep vnet5 | tee inout :FI-vnet5 - [0:0] :FO-vnet5 - [0:0] :HI-vnet5 - [0:0] -A FI-vnet5 -p tcp -m tcp --sport 22 -j RETURN -A FI-vnet5 -j DROP -A FO-vnet5 -p tcp -m tcp --dport 22 -j ACCEPT -A FO-vnet5 -j DROP -A HI-vnet5 -p tcp -m tcp --sport 22 -j RETURN -A HI-vnet5 -j DROP -A libvirt-host-in -m physdev --physdev-in vnet5 -g HI-vnet5 -A libvirt-in -m physdev --physdev-in vnet5 -g FI-vnet5 -A libvirt-in-post -m physdev --physdev-in vnet5 -j ACCEPT -A libvirt-out -m physdev --physdev-out vnet5 --physdev-is-bridged -g FO-vnet5 We note that the -A HI-vnet5 -j DROP -A FI-vnet5 -j DROP -A FO-vnet5 -j DROP Is present without regards to the state of the direction attribute on the “default” drop rule. If the direction is “in” then the “-A FI-vnet5 -j DROP” should not exists. What does the source code say? I worry that either the docs are imprecise and this is desired, or there is a bug and I can end up like https://superuser.com/questions/1660080/in-libvirt-network-filters-nwfilter-what-does-the-all-protocol-type-indicat As this is going to be a generic rule, applied many times – I would prefer not to have mac based source allow rules. -Jason |
