17.14. Applying Network Filtering
17.14.1. Introduction
- network
- ethernet -- must be used in bridging mode
- bridge
Example 17.1. An example of network filtering
<devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'/> </interface> </devices>
# virsh nwfilter-dumpxml clean-traffic
.
Example 17.2. Description extended
<devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.0.0.1'/> </filterref> </interface> </devices>
17.14.2. Filtering Chains
- root
- mac
- stp (spanning tree protocol)
- vlan
- arp and rarp
- ipv4
- ipv6
Example 17.3. ARP traffic filtering
<filter name='no-arp-spoofing' chain='arp' priority='-500'> <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid> <rule action='drop' direction='out' priority='300'> <mac match='no' srcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='350'> <arp match='no' arpsrcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='400'> <arp match='no' arpsrcipaddr='$IP'/> </rule> <rule action='drop' direction='in' priority='450'> <arp opcode='Reply'/> <arp match='no' arpdstmacaddr='$MAC'/> </rule> <rule action='drop' direction='in' priority='500'> <arp match='no' arpdstipaddr='$IP'/> </rule> <rule action='accept' direction='inout' priority='600'> <arp opcode='Request'/> </rule> <rule action='accept' direction='inout' priority='650'> <arp opcode='Reply'/> </rule> <rule action='drop' direction='inout' priority='1000'/> </filter>
17.14.3. Filtering Chain Priorities
Chain (prefix) | Default priority |
---|---|
stp | -810 |
mac | -800 |
vlan | -750 |
ipv4 | -700 |
ipv6 | -600 |
arp | -500 |
rarp | -400 |
Note
17.14.4. Usage of Variables in Filters
MAC
is designated for the MAC address of the network interface. A filtering rule that references this variable will automatically be replaced with the MAC address of the interface. This works without the user having to explicitly provide the MAC parameter. Even though it is possible to specify the MAC parameter similar to the IP parameter above, it is discouraged since libvirt knows what MAC address an interface will be using.
IP
represents the IP address that the operating system inside the virtual machine is expected to use on the given interface. The IP parameter is special in so far as the libvirt daemon will try to determine the IP address (and thus the IP parameter's value) that is being used on an interface if the parameter is not explicitly provided but referenced. For current limitations on IP address detection, consult the section on limitations Section 17.14.12, “Limitations” on how to use this feature and what to expect when using it. The XML file shown in Section 17.14.2, “Filtering Chains” contains the filter no-arp-spoofing
, which is an example of using a network filter XML to reference the MAC and IP variables.
$
. The format of the value of a variable must be of the type expected by the filter attribute identified in the XML. In the above example, the IP
parameter must hold a legal IP address in standard format. Failure to provide the correct structure will result in the filter variable not being replaced with a value and will prevent a virtual machine from starting or will prevent an interface from attaching when hot plugging is being used. Some of the types that are expected for each XML attribute are shown in the example Example 17.4, “Sample variable types”.
Example 17.4. Sample variable types
<devices> <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.0.0.1'/> <parameter name='IP' value='10.0.0.2'/> <parameter name='IP' value='10.0.0.3'/> </filterref> </interface> </devices>
<rule action='accept' direction='in' priority='500'> <tcp srpipaddr='$IP'/> </rule>
<rule action='accept' direction='in' priority='500'> <udp dstportstart='$DSTPORTS[1]'/> </rule>
Example 17.5. Using a variety of variables
$VARIABLE[@<iterator id="x">]
. The following rule allows a virtual machine to receive traffic on a set of ports, which are specified in DSTPORTS, from the set of source IP address specified in SRCIPADDRESSES. The rule generates all combinations of elements of the variable DSTPORTS with those of SRCIPADDRESSES by using two independent iterators to access their elements.
<rule action='accept' direction='in' priority='500'> <ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/> </rule>
SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ] DSTPORTS = [ 80, 8080 ]
$SRCIPADDRESSES[@1]
and $DSTPORTS[@2]
would then result in all variants of addresses and ports being created as shown:
- 10.0.0.1, 80
- 10.0.0.1, 8080
- 11.1.2.3, 80
- 11.1.2.3, 8080
$SRCIPADDRESSES[@1]
and $DSTPORTS[@1]
, would result in parallel access to both lists and result in the following combination:
- 10.0.0.1, 80
- 11.1.2.3, 8080
Note
$VARIABLE
is short-hand for $VARIABLE[@0]
. The former notation always assumes the role of iterator with iterator id="0"
added as shown in the opening paragraph at the top of this section.
17.14.5. Automatic IP Address Detection and DHCP Snooping
17.14.5.1. Introduction
CTRL_IP_LEARNING
can be used to specify the IP address learning method to use. Valid values include: any, dhcp, or none.
CTRL_IP_LEARNING
is not set. This method will only detect a single IP address per interface. Once a guest virtual machine's IP address has been detected, its IP network traffic will be locked to that address, if for example, IP address spoofing is prevented by one of its filters. In that case, the user of the VM will not be able to change the IP address on the interface inside the guest virtual machine, which would be considered IP address spoofing. When a guest virtual machine is migrated to another host physical machine or resumed after a suspend operation, the first packet sent by the guest virtual machine will again determine the IP address that the guest virtual machine can use on a particular interface.
17.14.5.2. DHCP Snooping
CTRL_IP_LEARNING=dhcp
(DHCP snooping) provides additional anti-spoofing security, especially when combined with a filter allowing only trusted DHCP servers to assign IP addresses. To enable this, set the variable DHCPSERVER
to the IP address of a valid DHCP server and provide filters that use this variable to filter incoming DHCP responses.
Note
Example 17.6. Activating IPs for DHCP snooping
<interface type='bridge'> <source bridge='virbr0'/> <filterref filter='clean-traffic'> <parameter name='CTRL_IP_LEARNING' value='dhcp'/> </filterref> </interface>
17.14.6. Reserved Variables
Variable Name | Definition |
---|---|
MAC | The MAC address of the interface |
IP | The list of IP addresses in use by an interface |
IPV6 | Not currently implemented: the list of IPV6 addresses in use by an interface |
DHCPSERVER | The list of IP addresses of trusted DHCP servers |
DHCPSERVERV6 | Not currently implemented: The list of IPv6 addresses of trusted DHCP servers |
CTRL_IP_LEARNING | The choice of the IP address detection mode |
17.14.7. Element and Attribute Overview
<filter>
with two possible attributes. The name
attribute provides a unique name of the given filter. The chain
attribute is optional but allows certain filters to be better organized for more efficient processing by the firewall subsystem of the underlying host physical machine. Currently, the system only supports the following chains: root
, ipv4
, ipv6
, arp
and rarp
.
17.14.8. References to Other Filters
Example 17.7. An Example of a clean traffic filter
<filter name='clean-traffic'> <uuid>6ef53069-ba34-94a0-d33d-17751b9b8cb1</uuid> <filterref filter='no-mac-spoofing'/> <filterref filter='no-ip-spoofing'/> <filterref filter='allow-incoming-ipv4'/> <filterref filter='no-arp-spoofing'/> <filterref filter='no-other-l2-traffic'/> <filterref filter='qemu-announce-self'/> </filter>
<filterref>
needs to be provided inside a filter node. This node must have the attribute filter whose value contains the name of the filter to be referenced.
17.14.9. Filter Rules
Example 17.8. Example of network traffic filtering
<filter name='no-ip-spoofing' chain='ipv4'> <uuid>fce8ae33-e69e-83bf-262e-30786c1f8072</uuid> <rule action='drop' direction='out' priority='500'> <ip match='no' srcipaddr='$IP'/> </rule> </filter>
- action is mandatory can have the following values:
- drop (matching the rule silently discards the packet with no further analysis)
- reject (matching the rule generates an ICMP reject message with no further analysis)
- accept (matching the rule accepts the packet with no further analysis)
- return (matching the rule passes this filter, but returns control to the calling filter for further analysis)
- continue (matching the rule goes on to the next rule for further analysis)
- direction is mandatory can have the following values:
- in for incoming traffic
- out for outgoing traffic
- inout for incoming and outgoing traffic
- priority is optional. The priority of the rule controls the order in which the rule will be instantiated relative to other rules. Rules with lower values will be instantiated before rules with higher values. Valid values are in the range of -1000 to 1000. If this attribute is not provided, priority 500 will be assigned by default. Note that filtering rules in the root chain are sorted with filters connected to the root chain following their priorities. This allows to interleave filtering rules with access to filter chains. See Section 17.14.3, “Filtering Chain Priorities” for more information.
- statematch is optional. Possible values are '0' or 'false' to turn the underlying connection state matching off. The default setting is 'true' or 1
priority=500
. If for example another filter is referenced whose traffic of type ip is also associated with the chain ipv4 then that filter's rules will be ordered relative to the priority=500
of the shown rule.
17.14.10. Supported Protocols
srcipaddr
that is valid inside the ip traffic filtering node. The following sections show what attributes are valid and what type of data they are expecting. The following datatypes are available:
- UINT8 : 8 bit integer; range 0-255
- UINT16: 16 bit integer; range 0-65535
- MAC_ADDR: MAC address in dotted decimal format, for example 00:11:22:33:44:55
- MAC_MASK: MAC address mask in MAC address format, for instance, FF:FF:FF:FC:00:00
- IP_ADDR: IP address in dotted decimal format, for example 10.1.2.3
- IP_MASK: IP address mask in either dotted decimal format (255.255.248.0) or CIDR mask (0-32)
- IPV6_ADDR: IPv6 address in numbers format, for example FFFF::1
- IPV6_MASK: IPv6 mask in numbers format (FFFF:FFFF:FC00::) or CIDR mask (0-128)
- STRING: A string
- BOOLEAN: 'true', 'yes', '1' or 'false', 'no', '0'
- IPSETFLAGS: The source and destination flags of the ipset described by up to 6 'src' or 'dst' elements selecting features from either the source or destination part of the packet header; example: src,src,dst. The number of 'selectors' to provide here depends on the type of ipset that is referenced
IP_MASK
or IPV6_MASK
can be negated using the match attribute with value no. Multiple negated attributes may be grouped together. The following XML fragment shows such an example using abstract attributes.
[...] <rule action='drop' direction='in'> <protocol match='no' attribute1='value1' attribute2='value2'/> <protocol attribute3='value3'/> </rule> [...]
attribute1
does not match both value1
and the protocol property attribute2
does not match value2
and the protocol property attribute3
matches value3
.
17.14.10.1. MAC (Ethernet)
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
dstmacaddr | MAC_ADDR | MAC address of destination |
dstmacmask | MAC_MASK | Mask applied to MAC address of destination |
protocolid | UINT16 (0x600-0xffff), STRING | Layer 3 protocol ID. Valid strings include [arp, rarp, ipv4, ipv6] |
comment | STRING | text string up to 256 characters |
[...] <mac match='no' srcmacaddr='$MAC'/> [...]
17.14.10.2. VLAN (802.1Q)
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
dstmacaddr | MAC_ADDR | MAC address of destination |
dstmacmask | MAC_MASK | Mask applied to MAC address of destination |
vlan-id | UINT16 (0x0-0xfff, 0 - 4095) | VLAN ID |
encap-protocol | UINT16 (0x03c-0xfff), String | Encapsulated layer 3 protocol ID, valid strings are arp, ipv4, ipv6 |
comment | STRING | text string up to 256 characters |
17.14.10.3. STP (Spanning Tree Protocol)
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
type | UINT8 | Bridge Protocol Data Unit (BPDU) type |
flags | UINT8 | BPDU flagdstmacmask |
root-priority | UINT16 | Root priority range start |
root-priority-hi | UINT16 (0x0-0xfff, 0 - 4095) | Root priority range end |
root-address | MAC _ADDRESS | root MAC Address |
root-address-mask | MAC _MASK | root MAC Address mask |
roor-cost | UINT32 | Root path cost (range start) |
root-cost-hi | UINT32 | Root path cost range end |
sender-priority-hi | UINT16 | Sender priority range end |
sender-address | MAC_ADDRESS | BPDU sender MAC address |
sender-address-mask | MAC_MASK | BPDU sender MAC address mask |
port | UINT16 | Port identifier (range start) |
port_hi | UINT16 | Port identifier range end |
msg-age | UINT16 | Message age timer (range start) |
msg-age-hi | UINT16 | Message age timer range end |
max-age-hi | UINT16 | Maximum age time range end |
hello-time | UINT16 | Hello time timer (range start) |
hello-time-hi | UINT16 | Hello time timer range end |
forward-delay | UINT16 | Forward delay (range start) |
forward-delay-hi | UINT16 | Forward delay range end |
comment | STRING | text string up to 256 characters |
17.14.10.4. ARP/RARP
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
dstmacaddr | MAC_ADDR | MAC address of destination |
dstmacmask | MAC_MASK | Mask applied to MAC address of destination |
hwtype | UINT16 | Hardware type |
protocoltype | UINT16 | Protocol type |
opcode | UINT16, STRING | Opcode valid strings are: Request, Reply, Request_Reverse, Reply_Reverse, DRARP_Request, DRARP_Reply, DRARP_Error, InARP_Request, ARP_NAK |
arpsrcmacaddr | MAC_ADDR | Source MAC address in ARP/RARP packet |
arpdstmacaddr | MAC _ADDR | Destination MAC address in ARP/RARP packet |
arpsrcipaddr | IP_ADDR | Source IP address in ARP/RARP packet |
arpdstipaddr | IP_ADDR | Destination IP address in ARP/RARP packet |
gratuitous | BOOLEAN | Boolean indicating whether to check for a gratuitous ARP packet |
comment | STRING | text string up to 256 characters |
17.14.10.5. IPv4
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
dstmacaddr | MAC_ADDR | MAC address of destination |
dstmacmask | MAC_MASK | Mask applied to MAC address of destination |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
protocol | UINT8, STRING | Layer 4 protocol identifier. Valid strings for protocol are: tcp, udp, udplite, esp, ah, icmp, igmp, sctp |
srcportstart | UINT16 | Start of range of valid source ports; requires protocol |
srcportend | UINT16 | End of range of valid source ports; requires protocol |
dstportstart | UNIT16 | Start of range of valid destination ports; requires protocol |
dstportend | UNIT16 | End of range of valid destination ports; requires protocol |
comment | STRING | text string up to 256 characters |
17.14.10.6. IPv6
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to MAC address of sender |
dstmacaddr | MAC_ADDR | MAC address of destination |
dstmacmask | MAC_MASK | Mask applied to MAC address of destination |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
protocol | UINT8, STRING | Layer 4 protocol identifier. Valid strings for protocol are: tcp, udp, udplite, esp, ah, icmpv6, sctp |
scrportstart | UNIT16 | Start of range of valid source ports; requires protocol |
srcportend | UINT16 | End of range of valid source ports; requires protocol |
dstportstart | UNIT16 | Start of range of valid destination ports; requires protocol |
dstportend | UNIT16 | End of range of valid destination ports; requires protocol |
comment | STRING | text string up to 256 characters |
17.14.10.7. TCP/UDP/SCTP
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
scripto | IP_ADDR | Start of range of source IP address |
srcipfrom | IP_ADDR | End of range of source IP address |
dstipfrom | IP_ADDR | Start of range of destination IP address |
dstipto | IP_ADDR | End of range of destination IP address |
scrportstart | UNIT16 | Start of range of valid source ports; requires protocol |
srcportend | UINT16 | End of range of valid source ports; requires protocol |
dstportstart | UNIT16 | Start of range of valid destination ports; requires protocol |
dstportend | UNIT16 | End of range of valid destination ports; requires protocol |
comment | STRING | text string up to 256 characters |
state | STRING | comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE |
flags | STRING | TCP-only: format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL |
ipset | STRING | The name of an IPSet managed outside of libvirt |
ipsetflags | IPSETFLAGS | flags for the IPSet; requires ipset attribute |
17.14.10.8. ICMP
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to the MAC address of the sender |
dstmacaddr | MAD_ADDR | MAC address of the destination |
dstmacmask | MAC_MASK | Mask applied to the MAC address of the destination |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
srcipfrom | IP_ADDR | start of range of source IP address |
scripto | IP_ADDR | end of range of source IP address |
dstipfrom | IP_ADDR | Start of range of destination IP address |
dstipto | IP_ADDR | End of range of destination IP address |
type | UNIT16 | ICMP type |
code | UNIT16 | ICMP code |
comment | STRING | text string up to 256 characters |
state | STRING | comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE |
ipset | STRING | The name of an IPSet managed outside of libvirt |
ipsetflags | IPSETFLAGS | flags for the IPSet; requires ipset attribute |
17.14.10.9. IGMP, ESP, AH, UDPLITE, 'ALL'
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcmacmask | MAC_MASK | Mask applied to the MAC address of the sender |
dstmacaddr | MAD_ADDR | MAC address of the destination |
dstmacmask | MAC_MASK | Mask applied to the MAC address of the destination |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
srcipfrom | IP_ADDR | start of range of source IP address |
scripto | IP_ADDR | end of range of source IP address |
dstipfrom | IP_ADDR | Start of range of destination IP address |
dstipto | IP_ADDR | End of range of destination IP address |
comment | STRING | text string up to 256 characters |
state | STRING | comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE |
ipset | STRING | The name of an IPSet managed outside of libvirt |
ipsetflags | IPSETFLAGS | flags for the IPSet; requires ipset attribute |
17.14.10.10. TCP/UDP/SCTP over IPV6
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
srcipfrom | IP_ADDR | start of range of source IP address |
scripto | IP_ADDR | end of range of source IP address |
dstipfrom | IP_ADDR | Start of range of destination IP address |
dstipto | IP_ADDR | End of range of destination IP address |
srcportstart | UINT16 | Start of range of valid source ports |
srcportend | UINT16 | End of range of valid source ports |
dstportstart | UINT16 | Start of range of valid destination ports |
dstportend | UINT16 | End of range of valid destination ports |
comment | STRING | text string up to 256 characters |
state | STRING | comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE |
ipset | STRING | The name of an IPSet managed outside of libvirt |
ipsetflags | IPSETFLAGS | flags for the IPSet; requires ipset attribute |
17.14.10.11. ICMPv6
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
srcipfrom | IP_ADDR | start of range of source IP address |
scripto | IP_ADDR | end of range of source IP address |
dstipfrom | IP_ADDR | Start of range of destination IP address |
dstipto | IP_ADDR | End of range of destination IP address |
type | UINT16 | ICMPv6 type |
code | UINT16 | ICMPv6 code |
comment | STRING | text string up to 256 characters |
state | STRING | comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE |
ipset | STRING | The name of an IPSet managed outside of libvirt |
ipsetflags | IPSETFLAGS | flags for the IPSet; requires ipset attribute |
17.14.10.12. IGMP, ESP, AH, UDPLITE, 'ALL' over IPv6
Attribute Name | Datatype | Definition |
---|---|---|
srcmacaddr | MAC_ADDR | MAC address of sender |
srcipaddr | IP_ADDR | Source IP address |
srcipmask | IP_MASK | Mask applied to source IP address |
dstipaddr | IP_ADDR | Destination IP address |
dstipmask | IP_MASK | Mask applied to destination IP address |
srcipfrom | IP_ADDR | start of range of source IP address |
scripto | IP_ADDR | end of range of source IP address |
dstipfrom | IP_ADDR | Start of range of destination IP address |
dstipto | IP_ADDR | End of range of destination IP address |
comment | STRING | text string up to 256 characters |
state | STRING | comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE |
ipset | STRING | The name of an IPSet managed outside of libvirt |
ipsetflags | IPSETFLAGS | flags for the IPSet; requires ipset attribute |
17.14.11. Advanced Filter Configuration Topics
17.14.11.1. Connection tracking
Example 17.9. XML example for turning off connections to the TCP port
[...] <rule direction='in' action='accept' statematch='false'> <cp dstportstart='12345'/> </rule> [...]
17.14.11.2. Limiting number of connections
Example 17.10. XML sample file that sets limits to connections
[...] <rule action='drop' direction='in' priority='400'> <tcp connlimit-above='1'/> </rule> <rule action='accept' direction='in' priority='500'> <tcp dstportstart='22'/> </rule> <rule action='drop' direction='out' priority='400'> <icmp connlimit-above='1'/> </rule> <rule action='accept' direction='out' priority='500'> <icmp/> </rule> <rule action='accept' direction='out' priority='500'> <udp dstportstart='53'/> </rule> <rule action='drop' direction='inout' priority='1000'> <all/> </rule> [...]
Note
sysfs
with the following command:# echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
. This command sets the ICMP connection tracking timeout to 3 seconds. The effect of this is that once one ping is terminated, another one can start after 3 seconds.
17.14.11.3. Command-line tools
nwfilter
. The following commands are available:
nwfilter-list
: lists UUIDs and names of all network filtersnwfilter-define
: defines a new network filter or updates an existing one (must supply a name)nwfilter-undefine
: deletes a specified network filter (must supply a name). Do not delete a network filter currently in use.nwfilter-dumpxml
: displays a specified network filter (must supply a name)nwfilter-edit
: edits a specified network filter (must supply a name)
17.14.11.4. Pre-existing network filters
Protocol Name | Description |
---|---|
allow-arp | Accepts all incoming and outgoing Address Resolution Protocol (ARP) traffic to a guest virtual machine. |
no-arp-spoofing , no-arp-mac-spoofing , and no-arp-ip-spoofing | These filters prevent a guest virtual machine from spoofing ARP traffic. In addition, they only allows ARP request and reply messages, and enforce that those packets contain:
|
low-dhcp | Allows a guest virtual machine to request an IP address via DHCP (from any DHCP server). |
low-dhcp-server | Allows a guest virtual machine to request an IP address from a specified DHCP server. The dotted decimal IP address of the DHCP server must be provided in a reference to this filter. The name of the variable must be DHCPSERVER. |
low-ipv4 | Accepts all incoming and outgoing IPv4 traffic to a virtual machine. |
low-incoming-ipv4 | Accepts only incoming IPv4 traffic to a virtual machine. This filter is a part of the clean-traffic filter. |
no-ip-spoofing | Prevents a guest virtual machine from sending IP packets with a source IP address different from the one inside the packet. This filter is a part of the clean-traffic filter. |
no-ip-multicast | Prevents a guest virtual machine from sending IP multicast packets. |
no-mac-broadcast | Prevents outgoing IPv4 traffic to a specified MAC address. This filter is a part of the clean-traffic filter. |
no-other-l2-traffic | Prevents all layer 2 networking traffic except traffic specified by other filters used by the network. This filter is a part of the clean-traffic filter. |
no-other-rarp-traffic , qemu-announce-self , qemu-announce-self-rarp | These filters allow QEMU's self-announce Reverse Address Resolution Protocol (RARP) packets, but prevent all other RARP traffic. All of them are also included in the clean-traffic filter. |
clean-traffic | Prevents MAC, IP and ARP spoofing. This filter references several other filters as building blocks. |
17.14.11.5. Writing your own filters
- mac
- stp (spanning tree protocol)
- vlan (802.1Q)
- arp, rarp
- ipv4
- ipv6
Example 17.11. Creating a custom filter
- prevents a VM's interface from MAC, IP and ARP spoofing
- opens only TCP ports 22 and 80 of a VM's interface
- allows the VM to send ping traffic from an interface but not let the VM be pinged on the interface
- allows the VM to do DNS lookups (UDP towards port 53)
clean-traffic
network filter, thus the way to do this is to reference it from a custom filter.
test
and the interface to associate our filter with is called eth0
, a filter is created named test-eth0
.
<filter name='test-eth0'> <!- - This rule references the clean traffic filter to prevent MAC, IP and ARP spoofing. By not providing an IP address parameter, libvirt will detect the IP address the guest virtual machine is using. - -> <filterref filter='clean-traffic'/> <!- - This rule enables TCP ports 22 (ssh) and 80 (http) to be reachable - -> <rule action='accept' direction='in'> <tcp dstportstart='22'/> </rule> <rule action='accept' direction='in'> <tcp dstportstart='80'/> </rule> <!- - This rule enables general ICMP traffic to be initiated by the guest virtual machine including ping traffic - -> <rule action='accept' direction='out'> <icmp/> </rule>> <!- - This rule enables outgoing DNS lookups using UDP - -> <rule action='accept' direction='out'> <udp dstportstart='53'/> </rule> <!- - This rule drops all other traffic - -> <rule action='drop' direction='inout'> <all/> </rule> </filter>
17.14.11.6. Sample custom filter
Example 17.12. Sample XML for network interface descriptions
[...] <interface type='bridge'> <source bridge='mybridge'/> <filterref filter='test-eth0'/> </interface> [...]
<!- - enable outgoing ICMP echo requests- -> <rule action='accept' direction='out'> <icmp type='8'/> </rule>
<!- - enable incoming ICMP echo replies- -> <rule action='accept' direction='in'> <icmp type='0'/> </rule>
Example 17.13. Second example custom filter
- prevents a guest virtual machine's interface from MAC, IP, and ARP spoofing
- opens only TCP ports 22 and 80 in a guest virtual machine's interface
- allows the guest virtual machine to send ping traffic from an interface but does not allow the guest virtual machine to be pinged on the interface
- allows the guest virtual machine to do DNS lookups (UDP towards port 53)
- enables the ftp server (in active mode) so it can run inside the guest virtual machine
<filter name='test-eth0'>
<!- - This filter (eth0) references the clean traffic
filter to prevent MAC, IP, and ARP spoofing. By not providing an IP address parameter, libvirt will detect the IP address the guest virtual machine is using. - ->
<filterref filter='clean-traffic'/>
<!- - This rule enables TCP port 21 (FTP-control) to be reachable - ->
<rule action='accept' direction='in'>
<tcp dstportstart='21'/>
</rule>
<!- - This rule enables TCP port 20 for guest virtual machine-initiated FTP data connection related to an existing FTP control connection - ->
<rule action='accept' direction='out'>
<tcp srcportstart='20' state='RELATED,ESTABLISHED'/>
</rule>
<!- - This rule accepts all packets from a client on the FTP data connection - ->
<rule action='accept' direction='in'>
<tcp dstportstart='20' state='ESTABLISHED'/>
</rule>
<!- - This rule enables TCP port 22 (SSH) to be reachable - ->
<rule action='accept' direction='in'>
<tcp dstportstart='22'/>
</rule>
<!- -This rule enables TCP port 80 (HTTP) to be reachable - ->
<rule action='accept' direction='in'>
<tcp dstportstart='80'/>
</rule>
<!- - This rule enables general ICMP traffic to be initiated by the guest virtual machine, including ping traffic - ->
<rule action='accept' direction='out'>
<icmp/>
</rule>
<!- - This rule enables outgoing DNS lookups using UDP - ->
<rule action='accept' direction='out'>
<udp dstportstart='53'/>
</rule>
<!- - This rule drops all other traffic - ->
<rule action='drop' direction='inout'>
<all/>
</rule>
</filter>
modprobe nf_conntrack_ftp
- where available ORmodprobe ip_conntrack_ftp
if above is not available
<filter name='test-eth0'>
<!- - This filter references the clean traffic
filter to prevent MAC, IP and ARP spoofing. By not providing and IP address parameter, libvirt will detect the IP address the VM is using. - ->
<filterref filter='clean-traffic'/>
<!- - This rule allows the packets of all previously accepted connections to reach the guest virtual machine - ->
<rule action='accept' direction='in'>
<all state='ESTABLISHED'/>
</rule>
<!- - This rule allows the packets of all previously accepted and related connections be sent from the guest virtual machine - ->
<rule action='accept' direction='out'>
<all state='ESTABLISHED,RELATED'/>
</rule>
<!- - This rule enables traffic towards port 21 (FTP) and port 22 (SSH)- ->
<rule action='accept' direction='in'>
<tcp dstportstart='21' dstportend='22' state='NEW'/>
</rule>
<!- - This rule enables traffic towards port 80 (HTTP) - ->
<rule action='accept' direction='in'>
<tcp dstportstart='80' state='NEW'/>
</rule>
<!- - This rule enables general ICMP traffic to be initiated by the guest virtual machine, including ping traffic - ->
<rule action='accept' direction='out'>
<icmp state='NEW'/>
</rule>
<!- - This rule enables outgoing DNS lookups using UDP - ->
<rule action='accept' direction='out'>
<udp dstportstart='53' state='NEW'/>
</rule>
<!- - This rule drops all other traffic - ->
<rule action='drop' direction='inout'>
<all/>
</rule>
</filter>
17.14.12. Limitations
- VM migration is only supported if the whole filter tree that is referenced by a guest virtual machine's top level filter is also available on the target host physical machine. The network filter
clean-traffic
for example should be available on all libvirt installations and thus enable migration of guest virtual machines that reference this filter. To assure version compatibility is not a problem make sure you are using the most current version of libvirt by updating the package regularly. - Migration must occur between libvirt insallations of version 0.8.1 or later in order not to lose the network traffic filters associated with an interface.
- VLAN (802.1Q) packets, if sent by a guest virtual machine, cannot be filtered with rules for protocol IDs arp, rarp, ipv4 and ipv6. They can only be filtered with protocol IDs, MAC and VLAN. Therefore, the example filter clean-traffic Example 17.1, “An example of network filtering” will not work as expected.