[libvirt-users] Problems when filtering on icmpv6

Guido Winkelmann guido-libvi at unknownsite.de
Wed Nov 7 16:53:42 UTC 2012 

Hi,

I am trying to prevent my qemu guest machines from sending IPv6 router 
advertisements over their network device. To that end, I have written this 
filter definition:

<filter name='no-ipv6-router-advertisement' chain='root' priority='-690'>
  <rule action='drop' direction='out' priority='600'>
    <icmpv6 type='134'/>
  </rule>
  <rule action='drop' direction='out' priority='600'>
    <icmpv6 type='153'/>
  </rule>
</filter>

As soon as I try to use this filter, though, I get the following error (in 
virsh):

error: Error while building firewall: Some rules could not be created for 
interface vnet0: Failure to execute command '$IPT -A libvirt-out -m physdev --
physdev-out vnet0 -g FP-vnet0' : 'ip6tables: No chain/target/match by that 
name.'.

I am (trying to) use this filter by including it in here:

<filter name='clean-traffic-with-v6' chain='root'>
  <filterref filter='no-mac-spoofing'/>
  <filterref filter='no-ip-spoofing'/>
  <filterref filter='no-dhcp-server'/>
  <rule action='accept' direction='out' priority='-650'>
    <mac protocolid='ipv4'/>
  </rule>
  <filterref filter='allow-incoming-ipv4'/>
  <filterref filter='no-ipv6-spoofing'/>
  <filterref filter='no-ipv6-router-advertisement'/>
  <filterref filter='no-dhcpv6-server'/>
  <rule action='accept' direction='out' priority='-600'>
    <mac protocolid='ipv6'/>
  </rule>
  <filterref filter='allow-incoming-ipv6'/>
  <filterref filter='no-arp-spoofing'/>
  <rule action='accept' direction='inout' priority='-500'>
    <mac protocolid='arp'/>
  </rule>
  <filterref filter='no-other-l2-traffic'/>
  <filterref filter='qemu-announce-self'/>
</filter>

Without the line
<filterref filter='no-ipv6-router-advertisement'/>
this filter works fine.

When running a domain with this filter without the no-ipv6-router-
advertisement filterref, my ip6tables look like this:

# ip6tables-save 
# Generated by ip6tables-save v1.4.13 on Wed Nov  7 17:46:32 2012
*mangle
:PREROUTING ACCEPT [146:12680]
:INPUT ACCEPT [103:9704]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [172:14184]
:POSTROUTING ACCEPT [172:14184]
COMMIT
# Completed on Wed Nov  7 17:46:32 2012
# Generated by ip6tables-save v1.4.13 on Wed Nov  7 17:46:32 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:libvirt-host-in - [0:0]
:libvirt-in - [0:0]
:libvirt-in-post - [0:0]
:libvirt-out - [0:0]
-A INPUT -j libvirt-host-in
-A FORWARD -j libvirt-in
-A FORWARD -j libvirt-out
-A FORWARD -j libvirt-in-post
COMMIT
# Completed on Wed Nov  7 17:46:32 2012

This is with libvirt 0.10.2.

Does anybody have an idea what is happening here or how I could debug this 
further?

Regards,

	Guido

More information about the libvirt-users mailing list