[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] Virtual network iptables rules



On Thu, Apr 05, 2007 at 08:28:57AM +0100, Mark McLoughlin wrote:
> Hi Dan,
> 
> On Thu, 2007-04-05 at 02:44 +0100, Daniel P. Berrange wrote:
> > Warning, this is a long & complicated email with lots of horrible details :-)
> > 
> > I've long been a little confused with the way iptables & bridging interacts,
> > so set out to do some experiments. I added a -j LOG rule to every single chain
> > in both the filter & nat tables, and then tried various traffic patterns, to
> > see which chains were traversed & in which order. 
> 
> 	Nice work ...
> 
> > Scenario 2: Virtual network
> > ===========================
> > 
> >   net.bridge.bridge-nf-call-iptables = 1
> > 
> >   Host:  eth0 -> Internet
> >          virbr0 -> MASQUERADE to eth0
> > 
> >   Guest: vif1.0 -> virbr0
> > 
> > 
> > Traffic: Guest -> Google
> > ------------------------
> > 
> > Out:
> > 
> > NAT-PREROUTING  IN=virbr0 OUT=       PHYSIN=vif1.0 SRC=192.168.122.47 DST=64.233.167.99
> > FORWARD         IN=virbr0 OUT=eth0   PHYSIN=vif1.0 SRC=192.168.122.47 DST=64.233.167.99
> > NAT-POSTROUTING IN=       OUT=eth0   PHYSIN=vif1.0 SRC=192.168.122.47 DST=64.233.167.99
> 
> 	This really suprises me - I would have expected another one like:
> 
> FORWARD         IN=virbr0 OUT=virbr0 PHYSIN=vif1.0 PHYSOUT=virb0  SRC=192.168.122.47 DST=64.233.167.99
> 
> 	Is it because the packets are coming in on bridge interface we don't
> see any physdev matching? So, we would see it with Guest->Guest?

I'll check up on the DomU<->DomU case - that may well exhibit a FORWARD traversal with
both a PHYSIN & PHYSOUT match.

> > For virtual networks there are basically 3 types of networking config we need to represent
> > in terms of iptables rules, and these need to work for scenrios 1 & 2 - ie regardless of
> > the magic sysctl knob.
> 
> 	Well, IMHO, we should never be switching off the sysctl knob ourselves
> - i.e. we shouldn't have it in xen/scripts/network-bridge - but I take
> the point that a user might switch it off.

Yeah, I don't much like it either, but the Fedora Xen bridge scripts turn the
setting off - principally so that traffic for bridged guests doesn't get hit
by the Dom0 iptables rules.

> 
> >   Problem: The INPUT rules are missing altogether for the isolated virtual network
> >            so potentially DHCP/DNS will be blocked
> >  Solution: Add them - simple bug.
> 
> 	I fixed this in CVS, didn't I?

Yeah - I was comparing against the official 0.2.1 release which I happen to have
an RPM installed of.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]