External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-07 18:35:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
1bbcc79e0e
libvirt/docs/formatnwfilter.html.in
Aleksandr Alekseev d467144cf2 doc: document new filters and not documented ones 
Signed-off-by: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-11-04 17:21:45 +01:00

2472 lines
85 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<h1>Network Filters</h1>
<ul id="toc">
</ul>
<p>
This page provides an introduction to libvirt's network filters,
their goals, concepts and XML format.
</p>
<h2><a id="goals">Goals and background</a></h2>
<p>
The goal of the network filtering XML is to enable administrators
of a virtualized system to configure and enforce network traffic
filtering rules on virtual
machines and manage the parameters of network traffic that
virtual machines
are allowed to send or receive.
The network traffic filtering rules are
applied on the host when a virtual machine is started. Since the
filtering rules
cannot be circumvented from within
the virtual machine, it makes them mandatory from the point of
view of a virtual machine user.
<br/><br/>
The network filter subsystem allows each virtual machine's network
traffic filtering rules to be configured individually on a per
interface basis. The rules are
applied on the host when the virtual machine is started and can be modified
while the virtual machine is running. The latter can be achieved by
modifying the XML description of a network filter.
<br/><br/>
Multiple virtual machines can make use of the same generic network filter.
When such a filter is modified, the network traffic filtering rules
of all running virtual machines that reference this filter are updated.
<br/><br/>
Network filtering support is available <span class="since">since 0.8.1
(QEMU, KVM)</span>
</p>
<h2><a id="nwfconcepts">Concepts</a></h2>
<p>
The network traffic filtering subsystem enables configuration
of network traffic filtering rules on individual network
interfaces that are configured for certain types of
network configurations. Supported network types are
</p>
<ul>
<li><code>network</code></li>
<li><code>ethernet</code> -- must be used in bridging mode</li>
<li><code>bridge</code></li>
</ul>
<p>
The interface XML is used to reference a top-level filter. In the
following example, the interface description references
the filter <code>clean-traffic</code>.
</p>
<pre>
...
&lt;devices&gt;
&lt;interface type='bridge'&gt;
&lt;mac address='00:16:3e:5d:c7:9e'/&gt;
&lt;filterref filter='clean-traffic'/&gt;
&lt;/interface&gt;
&lt;/devices&gt;
...</pre>
<p>
Network filters are written in XML and may either contain references
to other filters, contain rules for traffic filtering, or
hold a combination of both. The above referenced filter
<code>clean-traffic </code> is a filter that only contains references to
other filters and no actual filtering rules. Since references to
other filters can be used, a <i>tree</i> of filters can be built.
The <code>clean-traffic</code> filter can be viewed using the
command <code>virsh nwfilter-dumpxml clean-traffic</code>.
<br/><br/>
As previously mentioned, a single network filter can be referenced
by multiple virtual machines. Since interfaces will typically
have individual parameters associated with their respective traffic
filtering rules, the rules described in a filter XML can
be parameterized with variables. In this case, the variable name
is used in the filter XML and the name and value are provided at the
place where the filter is referenced. In the
following example, the interface description has been extended with
the parameter <code>IP</code> and a dotted IP address as value.
</p>
<pre>
...
&lt;devices&gt;
&lt;interface type='bridge'&gt;
&lt;mac address='00:16:3e:5d:c7:9e'/&gt;
&lt;filterref filter='clean-traffic'&gt;
&lt;parameter name='IP' value='10.0.0.1'/&gt;
&lt;/filterref&gt;
&lt;/interface&gt;
&lt;/devices&gt;
...</pre>
<p>
In this particular example, the <code>clean-traffic</code> network
traffic filter will be instantiated with the IP address parameter
10.0.0.1 and enforce that the traffic from this interface will
always be using 10.0.0.1 as the source IP address, which is
one of the purposes of this particular filter.
<br/><br/>
</p>
<h3><a id="nwfconceptschains">Filtering chains</a></h3>
<p>
Filtering rules are organized in filter chains. These chains can be
thought of as having a tree structure with packet
filtering rules as entries in individual chains (branches). <br/>
Packets start their filter evaluation in the <code>root</code> chain
and can then continue their evaluation in other chains, return from
those chains back into the <code>root</code> chain or be
dropped or accepted by a filtering rule in one of the traversed chains.
<br/>
Libvirt's network filtering system automatically creates individual
<code>root</code> chains for every virtual machine's network interface
on which the user chooses to activate traffic filtering.
The user may write filtering rules that are either directly instantiated
in the <code>root</code> chain or may create protocol-specific
filtering chains for efficient evaluation of protocol-specific rules.
The following chains exist:
</p>
<ul>
<li>root</li>
<li>mac <span class="since">(since 0.9.8)</span></li>
<li>stp (spanning tree protocol)
<span class="since">(since 0.9.8)</span></li>
<li>vlan (802.1Q) <span class="since">(since 0.9.8)</span></li>
<li>arp, rarp</li>
<li>ipv4</li>
<li>ipv6</li>
</ul>
<p>
<span class="since">Since 0.9.8</span> multiple chains evaluating the
<code>mac</code>, <code>stp</code>, <code>vlan</code>,
<code>arp</code>, <code>rarp</code>, <code>ipv4</code>, or
<code>ipv6</code> protocol can be created using
the protocol name only as a prefix in the chain's name. This for
examples allows chains with names <code>arp-xyz</code> or
<code>arp-test</code> to be specified and have ARP protocol packets
evaluated in those chains.
<br/><br/>
The following filter shows an example of filtering ARP traffic
in the <code>arp</code> chain.
</p>
<pre>
&lt;filter name='no-arp-spoofing' chain='arp' priority='-500'&gt;
&lt;uuid&gt;f88f1932-debf-4aa1-9fbe-f10d3aa4bc95&lt;/uuid&gt;
&lt;rule action='drop' direction='out' priority='300'&gt;
&lt;mac match='no' srcmacaddr='$MAC'/&gt;
&lt;/rule&gt;
&lt;rule action='drop' direction='out' priority='350'&gt;
&lt;arp match='no' arpsrcmacaddr='$MAC'/&gt;
&lt;/rule&gt;
&lt;rule action='drop' direction='out' priority='400'&gt;
&lt;arp match='no' arpsrcipaddr='$IP'/&gt;
&lt;/rule&gt;
&lt;rule action='drop' direction='in' priority='450'&gt;
&lt;arp opcode='Reply'/&gt;
&lt;arp match='no' arpdstmacaddr='$MAC'/&gt;
&lt;/rule&gt;
&lt;rule action='drop' direction='in' priority='500'&gt;
&lt;arp match='no' arpdstipaddr='$IP'/&gt;
&lt;/rule&gt;
&lt;rule action='accept' direction='inout' priority='600'&gt;
&lt;arp opcode='Request'/&gt;
&lt;/rule&gt;
&lt;rule action='accept' direction='inout' priority='650'&gt;
&lt;arp opcode='Reply'/&gt;
&lt;/rule&gt;
&lt;rule action='drop' direction='inout' priority='1000'/&gt;
&lt;/filter&gt;
</pre>
<p>
The consequence of putting ARP-specific rules in the <code>arp</code>
chain, rather than for example in the <code>root</code> chain, is that
packets for any other protocol than ARP do not need to be evaluated by
ARP protocol-specific rules. This improves the efficiency
of the traffic filtering. However, one must then pay attention to only
put filtering rules for the given protocol into the chain since
any other rules will not be evaluated, i.e., an IPv4 rule will not
be evaluated in the ARP chain since no IPv4 protocol packets will
traverse the ARP chain.
<br/><br/>
</p>
<h3><a id="nwfconceptschainpriorities">Filtering chain priorities</a></h3>
<p>
All chains are connected to the <code>root</code> chain. The order in
which those chains are accessed is influenced by the priority of the
chain. The following table shows the chains that can be assigned a
priority and their default priorities.
</p>
<table class="top_table">
<tr>
<th> Chain (prefix) </th>
<th> Default priority </th>
</tr>
<tr>
<td>stp</td><td>-810</td>
</tr>
<tr>
<td>mac</td><td>-800</td>
</tr>
<tr>
<td>vlan</td><td>-750</td>
</tr>
<tr>
<td>ipv4</td><td>-700</td>
</tr>
<tr>
<td>ipv6</td><td>-600</td>
</tr>
<tr>
<td>arp</td><td>-500</td>
</tr>
<tr>
<td>rarp</td><td>-400</td>
</tr>
</table>
<p>
A chain with a lower priority value is accessed before one with a
higher value.
<br/>
<span class="since">Since 0.9.8</span> the above listed chains
can be assigned custom priorities by writing a value in the
range [-1000, 1000] into the priority (XML) attribute in the filter
node. The above example filter shows the default priority of -500
for <code>arp</code> chains.
</p>
<h3><a id="nwfconceptsvars">Usage of variables in filters</a></h3>
<p>
Two variables names have so far been reserved for usage by the
network traffic filtering subsystem: <code>MAC</code> and
<code>IP</code>.
<br/><br/>
<code>MAC</code> is the MAC address of the
network interface. A filtering rule that references this variable
will automatically be instantiated with the MAC address of the
interface. This works without the user having to explicitly provide
the MAC parameter. Even though it is possible to specify the MAC
parameter similar to the IP parameter above, it is discouraged
since libvirt knows what MAC address an interface will be using.
<br/><br/>
The parameter <code>IP</code> represents the IP address
that the operating system inside the virtual machine is expected
to use on the given interface. The <code>IP</code> parameter
is special in so far as the libvirt daemon will try to determine
the IP address (and thus the IP parameter's value) that is being
used on an interface if the parameter
is not explicitly provided but referenced.
For current limitations on IP address detection, consult the
<a href="#nwflimits">section on limitations</a> on how to use this
feature and what to expect when using it.
<br/><br/>
The above-shown network filer <code>no-arp-spoofing</code>
is an example of
a network filter XML referencing the <code>MAC</code> and
<code>IP</code> variables.
<br/><br/>
Note that referenced variables are always prefixed with the
$ (dollar) sign. The format of the value of a variable
must be of the type expected by the filter attribute in the
XML. In the above example, the <code>IP</code> parameter
must hold a dotted IP address in decimal numbers format.
Failure to provide the correct
value type will result in the filter not being instantiatable
and will prevent a virtual machine from starting or the
interface from attaching when hotplugging is used. The types
that are expected for each XML attribute are shown
below.
<br/><br/>
<span class="since">Since 0.9.8</span> variables can contain lists of
elements, e.g., the variable <code>IP</code> can contain multiple IP
addresses that are valid on a particular interface. The notation for
providing multiple elements for the IP variable is:
</p>
<pre>
...
&lt;devices&gt;
&lt;interface type='bridge'&gt;
&lt;mac address='00:16:3e:5d:c7:9e'/&gt;
&lt;filterref filter='clean-traffic'&gt;
&lt;parameter name='IP' value='10.0.0.1'/&gt;
&lt;parameter name='IP' value='10.0.0.2'/&gt;
&lt;parameter name='IP' value='10.0.0.3'/&gt;
&lt;/filterref&gt;
&lt;/interface&gt;
&lt;/devices&gt;
...</pre>
<p>
This then allows filters to enable multiple IP addresses
per interface. Therefore, with the list
of IP address shown above, the following rule will create 3
individual filtering rules, one for each IP address.
</p>
<pre>
...
&lt;rule action='accept' direction='in' priority='500'&gt;
&lt;tcp srpipaddr='$IP'/&gt;
&lt;/rule&gt;
...
</pre>
<p>
<span class="since">Since 0.9.10</span> it is possible to access
individual elements of a variable holding a list of elements.
A filtering rule like the following accesses the 2nd element
of the variable DSTPORTS.
</p>
<pre>
...
&lt;rule action='accept' direction='in' priority='500'&gt;
&lt;udp dstportstart='$DSTPORTS[1]'/&gt;
&lt;/rule&gt;
...
</pre>
<p>
<span class="since">Since 0.9.10</span> it is possible to create
filtering rules that instantiate all combinations of rules from
different lists using the notation of
<code>$VARIABLE[@&lt;iterator ID&gt;]</code>.
The following rule allows a virtual machine to
receive traffic on a set of ports, which are specified in DSTPORTS,
from the set of source IP address specified in SRCIPADDRESSES.
The rule generates all combinations of elements of the variable
DSTPORT with those of SRCIPADDRESSES by using two independent
iterators to access their elements.
</p>
<pre>
...
&lt;rule action='accept' direction='in' priority='500'&gt;
&lt;ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/&gt;
&lt;/rule&gt;
...
</pre>
<p>
In an example we assign concrete values to SRCIPADDRESSES and DSTPORTS
</p>
<pre>
SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
DSTPORTS = [ 80, 8080 ]
</pre>
<p>
Accessing the variables using $SRCIPADDRESSES[@1] and $DSTPORTS[@2] would
then result in all combinations of addresses and ports being created:
</p>
<pre>
10.0.0.1, 80
10.0.0.1, 8080
11.1.2.3, 80
11.1.2.3, 8080
</pre>
<p>
Accessing the same variables using a single iterator, for example by using
the notation $SRCIPADDRESSES[@1] and $DSTPORTS[@1], would result in
parallel access to both lists and result in the following combinations:
</p>
<pre>
10.0.0.1, 80
11.1.2.3, 8080
</pre>
<p>
Further, the notation of $VARIABLE is short-hand for $VARIABLE[@0]. The
former notation always assumes the iterator with Id '0'.
</p>
<h3><a id="nwfelemsRulesAdvIPAddrDetection">Automatic IP address detection</a></h3>
<p>
The detection of IP addresses used on a virtual machine's interface
is automatically activated if the variable <code>IP</code> is referenced
but no value has been assigned to it.
<span class="since">Since 0.9.13</span>
the variable <code>CTRL_IP_LEARNING</code> can be used to specify
the IP address learning method to use. Valid values are <code>any</code>,
<code>dhcp</code>, or <code>none</code>.
<br/><br/>
The value <code>any</code> means that libvirt may use any packet to
determine the address in use by a virtual machine, which is the default
behavior if the variable <code>CTRL_IP_LEARNING</code> is not set. This method
will only detect a single IP address on an interface.
Once a VM's IP address has been detected, its IP network traffic
will be locked to that address, if for example IP address spoofing
is prevented by one of its filters. In that case the user of the VM
will not be able to change the IP address on the interface inside
the VM, which would be considered IP address spoofing.
When a VM is migrated to another host or resumed after a suspend operation,
the first packet sent by the VM will again determine the IP address it can
use on a particular interface.
<br/>
A value of <code>dhcp</code> specifies that libvirt should only honor DHCP
server-assigned addresses with valid leases. This method supports the detection
and usage of multiple IP address per interface.
When a VM is resumed after a suspend operation, still valid IP address leases
are applied to its filters. Otherwise the VM is expected to again use DHCP to obtain new
IP addresses. The migration of a VM to another physical host requires that
the VM again runs the DHCP protocol.
<br/><br/>
Use of <code>CTRL_IP_LEARNING=dhcp</code> (DHCP snooping) provides additional
anti-spoofing security, especially when combined with a filter allowing
only trusted DHCP servers to assign addresses. To enable this, set the
variable <code>DHCPSERVER</code> to the IP address of a valid DHCP server
and provide filters that use this variable to filter incoming DHCP responses.
<br/><br/>
When DHCP snooping is enabled and the DHCP lease expires,
the VM will no longer be able to use the IP address until it acquires a
new, valid lease from a DHCP server. If the VM is migrated, it must get
a new valid DHCP lease to use an IP address (e.g., by
bringing the VM interface down and up again).
<br/><br/>
Note that automatic DHCP detection listens to the DHCP traffic
the VM exchanges with the DHCP server of the infrastructure. To avoid
denial-of-service attacks on libvirt, the evaluation of those packets
is rate-limited, meaning that a VM sending an excessive number of DHCP
packets per second on an interface will not have all of those packets
evaluated and thus filters may not get adapted. Normal DHCP client
behavior is assumed to send a low number of DHCP packets per second.
Further, it is important to setup appropriate filters on all VMs in
the infrastructure to avoid them being able to send DHCP
packets. Therefore VMs must either be prevented from sending UDP and TCP
traffic from port 67 to port 68 or the <code>DHCPSERVER</code>
variable should be used on all VMs to restrict DHCP server messages to
only be allowed to originate from trusted DHCP servers. At the same
time anti-spoofing prevention must be enabled on all VMs in the subnet.
<br/><br/>
If <code>CTRL_IP_LEARNING</code> is set to <code>none</code>, libvirt does not do
IP address learning and referencing <code>IP</code> without assigning it an
explicit value is an error.
<br/><br/>
The following XML provides an example for the activation of IP address learning
using the DHCP snooping method:
</p>
<pre>
&lt;interface type='bridge'&gt;
&lt;source bridge='virbr0'/&gt;
&lt;filterref filter='clean-traffic'&gt;
&lt;parameter name='CTRL_IP_LEARNING' value='dhcp'/&gt;
&lt;/filterref&gt;
&lt;/interface&gt;
</pre>
<h3><a id="nwfelemsReservedVars">Reserved Variables</a></h3>
<p>
The following table lists reserved variables in use by libvirt.
</p>
<table class="top_table">
<tr>
<th> Variable Name </th>
<th> Semantics </th>
</tr>
<tr>
<td> MAC </td>
<td> The MAC address of the interface </td>
</tr>
<tr>
<td> IP </td>
<td> The list of IP addresses in use by an interface </td>
</tr>
<tr>
<td> IPV6 </td>
<td> The list of IPV6 addresses in use by an interface </td>
</tr>
<tr>
<td> DHCPSERVER </td>
<td> The list of IP addresses of trusted DHCP servers</td>
</tr>
<tr>
<td> DHCPSERVERV6 </td>
<td> Not currently implemented:
The list of IPv6 addresses of trusted DHCP servers</td>
</tr>
<tr>
<td> CTRL_IP_LEARNING </td>
<td> The choice of the IP address detection mode </td>
</tr>
</table>
<h2><a id="nwfelems">Element and attribute overview</a></h2>
<p>
The root element required for all network filters is
named <code>filter</code> with two possible attributes. The
<code>name</code> attribute provides a unique name of the
given filter. The <code>chain</code> attribute is optional but
allows certain filters to be better organized for more efficient
processing by the firewall subsystem of the underlying host.
Currently the system only supports the chains <code>root,
ipv4, ipv6, arp and rarp</code>.
</p>
<h3><a id="nwfelemsRefs">References to other filters</a></h3>
<p>
Any filter may hold references to other filters. Individual
filters may be referenced multiple times in a filter tree but
references between filters must not introduce loops (directed
acyclic graph).
<br/><br/>
The following shows the XML of the <code>clean-traffic</code>
network filter referencing several other filters.
</p>
<pre>
&lt;filter name='clean-traffic'&gt;
&lt;uuid&gt;6ef53069-ba34-94a0-d33d-17751b9b8cb1&lt;/uuid&gt;
&lt;filterref filter='no-mac-spoofing'/&gt;
&lt;filterref filter='no-ip-spoofing'/&gt;
&lt;filterref filter='allow-incoming-ipv4'/&gt;
&lt;filterref filter='no-arp-spoofing'/&gt;
&lt;filterref filter='no-other-l2-traffic'/&gt;
&lt;filterref filter='qemu-announce-self'/&gt;
&lt;/filter&gt;
</pre>
<p>
To reference another filter, the XML node <code>filterref</code>
needs to be provided inside a <code>filter</code> node. This
node must have the attribute <code>filter</code> whose value contains
the name of the filter to be referenced.
<br/><br/>
New network filters can be defined at any time and
may contain references to network filters that are
not known to libvirt, yet. However, once a virtual machine
is started or a network interface
referencing a filter is to be hotplugged, all network filters
in the filter tree must be available. Otherwise the virtual
machine will not start or the network interface cannot be
attached.
</p>
<h3><a id="nwfelemsRules">Filter rules</a></h3>
<p>
The following XML shows a simple example of a network
traffic filter implementing a rule to drop traffic if
the IP address (provided through the value of the
variable IP) in an outgoing IP packet is not the expected
one, thus preventing IP address spoofing by the VM.
</p>
<pre>
&lt;filter name='no-ip-spoofing' chain='ipv4'&gt;
&lt;uuid&gt;fce8ae33-e69e-83bf-262e-30786c1f8072&lt;/uuid&gt;
&lt;rule action='drop' direction='out' priority='500'&gt;
&lt;ip match='no' srcipaddr='$IP'/&gt;
&lt;/rule&gt;
&lt;/filter&gt;
</pre>
<p>
A traffic filtering rule starts with the <code>rule</code>
node. This node may contain up to three attributes
</p>
<ul>
<li>
action -- mandatory; must either be <code>drop</code>
(matching the rule silently discards the packet with no
further analysis),
<code>reject</code> (matching the rule generates an ICMP
reject message with no further analysis) <span class="since">(since
0.9.0)</span>, <code>accept</code> (matching the rule accepts
the packet with no further analysis), <code>return</code>
(matching the rule passes this filter, but returns control to
the calling filter for further
analysis) <span class="since">(since 0.9.7)</span>,
or <code>continue</code> (matching the rule goes on to the next
rule for further analysis) <span class="since">(since
0.9.7)</span>.
</li>
<li>
direction -- mandatory; must either be <code>in</code>, <code>out</code> or
<code>inout</code> if the rule is for incoming,
outgoing or incoming-and-outgoing traffic
</li>
<li>
priority -- optional; the priority of the rule controls the order in
which the rule will be instantiated relative to other rules.
Rules with lower value will be instantiated before rules with higher
values.
Valid values are in the range of 0 to 1000.
<span class="since">Since 0.9.8</span> this has been extended to cover
the range of -1000 to 1000. If this attribute is not
provided, priority 500 will automatically be assigned.
<br/>
Note that filtering rules in the <code>root</code> chain are sorted
with filters connected to the <code>root</code> chain following
their priorities. This allows to interleave filtering rules with
access to filter chains.
(See also section on
<a href="#nwfconceptschainpriorities">
filtering chain priorities
</a>.)
</li>
<li>
statematch -- optional; possible values are '0' or 'false' to
turn the underlying connection state matching off; default is 'true'
<br/>
Also read the section on <a href="#nwfelemsRulesAdv">advanced configuration</a>
topics.
</li>
</ul>
<p>
The above example indicates that the traffic of type <code>ip</code>
will be associated with the chain 'ipv4' and the rule will have
priority 500. If for example another filter is referenced whose
traffic of type <code>ip</code> is also associated with the chain
'ipv4' then that filter's rules will be ordered relative to the priority
500 of the shown rule.
<br/><br/>
A rule may contain a single rule for filtering of traffic. The
above example shows that traffic of type <code>ip</code> is to be
filtered.
</p>
<h4><a id="nwfelemsRulesProto">Supported protocols</a></h4>
<p>
The following sections enumerate the list of protocols that
are supported by the network filtering subsystem. The
type of traffic a rule is supposed to filter on is provided
in the <code>rule</code> node as a nested node. Depending
on the traffic type a rule is filtering, the attributes are
different. The above example showed the single
attribute <code>srcipaddr</code> that is valid inside the
<code>ip</code> traffic filtering node. The following sections
show what attributes are valid and what type of data they are
expecting. The following datatypes are available:
</p>
<ul>
<li>UINT8 : 8 bit integer; range 0-255</li>
<li>UINT16: 16 bit integer; range 0-65535</li>
<li>MAC_ADDR: MAC address in dotted decimal format, i.e., 00:11:22:33:44:55</li>
<li>MAC_MASK: MAC address mask in MAC address format, i.e., FF:FF:FF:FC:00:00</li>
<li>IP_ADDR: IP address in dotted decimal format, i.e., 10.1.2.3</li>
<li>IP_MASK: IP address mask in either dotted decimal format (255.255.248.0) or CIDR mask (0-32)</li>
<li>IPV6_ADDR: IPv6 address in numbers format, i.e., FFFF::1</li>
<li>IPV6_MASK: IPv6 mask in numbers format (FFFF:FFFF:FC00::) or CIDR mask (0-128)</li>
<li>STRING: A string</li>
<li>BOOLEAN: 'true', 'yes', '1' or 'false', 'no', '0'</li>
<li>IPSETFLAGS: The source and destination flags of the ipset described
by up to 6 'src' or 'dst' elements selecting features from either
the source or destination part of the packet header; example:
src,src,dst. The number of 'selectors' to provide here depends
on the type of ipset that is referenced.</li>
</ul>
<p>
<br/><br/>
Every attribute except for those of type IP_MASK or IPV6_MASK can
be negated using the <code>match</code>
attribute with value <code>no</code>. Multiple negated attributes
may be grouped together. The following
XML fragment shows such an example using abstract attributes.
</p>
<pre>
[...]
&lt;rule action='drop' direction='in'&gt;
&lt;protocol match='no' attribute1='value1' attribute2='value2'/&gt;
&lt;protocol attribute3='value3'/&gt;
&lt;/rule&gt;
[...]
</pre>
<p>
Rules perform a logical AND evaluation on all values of the given
protocol attributes. Thus, if a single attribute's value does not match
the one given in the rule, the whole rule will be skipped during
evaluation. Therefore, in the above example incoming traffic
will only be dropped if
the protocol property attribute1 does not match value1 AND
the protocol property attribute2 does not match value2 AND
the protocol property attribute3 matches value3.
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoMAC">MAC (Ethernet)</a></h5>
<p>
Protocol ID: <code>mac</code>
<br/>
Note: Rules of this type should go into the <code>root</code> chain.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of sender</td>
</tr>
<tr>
<td>dstmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of destination</td>
</tr>
<tr>
<td>dstmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of destination</td>
</tr>
<tr>
<td>protocolid</td>
<td>UINT16 (0x600-0xffff), STRING</td>
<td>Layer 3 protocol ID</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
</table>
<p>
Valid Strings for <code>protocolid</code> are: arp, rarp, ipv4, ipv6
</p>
<pre>
[...]
&lt;mac match='no' srcmacaddr='$MAC'/&gt;
[...]
</pre>
<h5><a id="nwfelemsRulesProtoVLAN">VLAN (802.1Q)</a>
<span class="since">(Since 0.9.8)</span>
</h5>
<p>
Protocol ID: <code>vlan</code>
<br/>
Note: Rules of this type should go either into the <code>root</code> or
<code>vlan</code> chain.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of sender</td>
</tr>
<tr>
<td>dstmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of destination</td>
</tr>
<tr>
<td>dstmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of destination</td>
</tr>
<tr>
<td>vlanid</td>
<td>UINT16 (0x0-0xfff, 0 - 4095)</td>
<td>VLAN ID</td>
</tr>
<tr>
<td>encap-protocol</td>
<td>UINT16 (0x03c-0xfff), String</td>
<td>Encapsulated layer 3 protocol ID</td>
</tr>
<tr>
<td>comment </td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
</table>
<p>
Valid Strings for <code>encap-protocol</code> are: arp, ipv4, ipv6
</p>
<h5><a id="nwfelemsRulesProtoSTP">STP (Spanning Tree Protocol)</a>
<span class="since">(Since 0.9.8)</span>
</h5>
<p>
Protocol ID: <code>stp</code>
<br/>
Note: Rules of this type should go either into the <code>root</code> or
<code>stp</code> chain.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of sender</td>
</tr>
<tr>
<td>type</td>
<td>UINT8</td>
<td>Bridge Protocol Data Unit (BPDU) type</td>
</tr>
<tr>
<td>flags</td>
<td>UINT8</td>
<td>BPDU flag</td>
</tr>
<tr>
<td>root-priority</td>
<td>UINT16</td>
<td>Root priority (range start)</td>
</tr>
<tr>
<td>root-priority-hi</td>
<td>UINT16</td>
<td>Root priority range end</td>
</tr>
<tr>
<td>root-address</td>
<td>MAC_ADDRESS</td>
<td>Root MAC address</td>
</tr>
<tr>
<td>root-address-mask</td>
<td>MAC_MASK</td>
<td>Root MAC address mask</td>
</tr>
<tr>
<td>root-cost</td>
<td>UINT32</td>
<td>Root path cost (range start)</td>
</tr>
<tr>
<td>root-cost-hi</td>
<td>UINT32</td>
<td>Root path cost range end</td>
</tr>
<tr>
<td>sender-priority</td>
<td>UINT16</td>
<td>Sender priority (range start)</td>
</tr>
<tr>
<td>sender-priority-hi</td>
<td>UINT16</td>
<td>Sender priority range end</td>
</tr>
<tr>
<td>sender-address</td>
<td>MAC_ADDRESS</td>
<td>BPDU sender MAC address</td>
</tr>
<tr>
<td>sender-address-mask</td>
<td>MAC_MASK</td>
<td>BPDU sender MAC address mask</td>
</tr>
<tr>
<td>port</td>
<td>UINT16</td>
<td>Port identifier (range start)</td>
</tr>
<tr>
<td>port_hi</td>
<td>UINT16</td>
<td>Port identifier range end</td>
</tr>
<tr>
<td>msg-age</td>
<td>UINT16</td>
<td>Message age timer (range start)</td>
</tr>
<tr>
<td>msg-age-hi</td>
<td>UINT16</td>
<td>Message age timer range end</td>
</tr>
<tr>
<td>max-age</td>
<td>UINT16</td>
<td>Maximum age timer (range start)</td>
</tr>
<tr>
<td>max-age-hi</td>
<td>UINT16</td>
<td>Maximum age timer range end</td>
</tr>
<tr>
<td>hello-time</td>
<td>UINT16</td>
<td>Hello time timer (range start)</td>
</tr>
<tr>
<td>hello-time-hi</td>
<td>UINT16</td>
<td>Hello time timer range end</td>
</tr>
<tr>
<td>forward-delay</td>
<td>UINT16</td>
<td>Forward delay (range start)</td>
</tr>
<tr>
<td>forward-delay-hi</td>
<td>UINT16</td>
<td>Forward delay range end</td>
</tr>
<tr>
<td>comment</td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
</table>
<h5><a id="nwfelemsRulesProtoARP">ARP/RARP</a></h5>
<p>
Protocol ID: <code>arp</code> or <code>rarp</code>
<br/>
Note: Rules of this type should either go into the
<code>root</code> or <code>arp/rarp</code> chain.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of sender</td>
</tr>
<tr>
<td>dstmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of destination</td>
</tr>
<tr>
<td>dstmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of destination</td>
</tr>
<tr>
<td>hwtype</td>
<td>UINT16</td>
<td>Hardware type</td>
</tr>
<tr>
<td>protocoltype</td>
<td>UINT16</td>
<td>Protocol type</td>
</tr>
<tr>
<td>opcode</td>
<td>UINT16, STRING</td>
<td>Opcode</td>
</tr>
<tr>
<td>arpsrcmacaddr</td>
<td>MAC_ADDR</td>
<td>Source MAC address in ARP/RARP packet</td>
</tr>
<tr>
<td>arpdstmacaddr</td>
<td>MAC_ADDR</td>
<td>Destination MAC address in ARP/RARP packet</td>
</tr>
<tr>
<td>arpsrcipaddr</td>
<td>IP_ADDR</td>
<td>Source IP address in ARP/RARP packet</td>
</tr>
<tr>
<td>arpsrcipmask <span class="since">(Since 1.2.3)</span></td>
<td>IP_MASK</td>
<td>Source IP mask</td>
</tr>
<tr>
<td>arpdstipaddr</td>
<td>IP_ADDR</td>
<td>Destination IP address in ARP/RARP packet</td>
</tr>
<tr>
<td>arpdstipmask <span class="since">(Since 1.2.3)</span></td>
<td>IP_MASK</td>
<td>Destination IP mask</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
<tr>
<td>gratuitous <span class="since">(Since 0.9.2)</span></td>
<td>BOOLEAN</td>
<td>boolean indicating whether to check for gratuitous ARP packet</td>
</tr>
</table>
<p>
Valid strings for the <code>Opcode</code> field are:
Request, Reply, Request_Reverse, Reply_Reverse, DRARP_Request,
DRARP_Reply, DRARP_Error, InARP_Request, ARP_NAK
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoIP">IPv4</a></h5>
<p>
Protocol ID: <code>ip</code>
<br/>
Note: Rules of this type should either go into the
<code>root</code> or <code>ipv4</code> chain.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of sender</td>
</tr>
<tr>
<td>dstmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of destination</td>
</tr>
<tr>
<td>dstmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of destination</td>
</tr>
<tr>
<td>srcipaddr</td>
<td>IP_ADDR</td>
<td>Source IP address</td>
</tr>
<tr>
<td>srcipmask</td>
<td>IP_MASK</td>
<td>Mask applied to source IP address</td>
</tr>
<tr>
<td>dstipaddr</td>
<td>IP_ADDR</td>
<td>Destination IP address</td>
</tr>
<tr>
<td>dstipmask</td>
<td>IP_MASK</td>
<td>Mask applied to destination IP address</td>
</tr>
<tr>
<td>protocol</td>
<td>UINT8, STRING</td>
<td>Layer 4 protocol identifier</td>
</tr>
<tr>
<td>srcportstart</td>
<td>UINT16</td>
<td>Start of range of valid source ports; requires <code>protocol</code></td>
</tr>
<tr>
<td>srcportend</td>
<td>UINT16</td>
<td>End of range of valid source ports; requires <code>protocol</code></td>
</tr>
<tr>
<td>dstportstart</td>
<td>UINT16</td>
<td>Start of range of valid destination ports; requires <code>protocol</code></td>
</tr>
<tr>
<td>dstportend</td>
<td>UINT16</td>
<td>End of range of valid destination ports; requires <code>protocol</code></td>
</tr>
<tr>
<td>dscp</td>
<td>UINT8 (0x0-0x3f, 0 - 63)</td>
<td>Differentiated Services Code Point</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
</table>
<p>
Valid strings for <code>protocol</code> are:
tcp, udp, udplite, esp, ah, icmp, igmp, sctp
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoIPv6">IPv6</a></h5>
<p>
Protocol ID: <code>ipv6</code>
<br/>
Note: Rules of this type should either go into the
<code>root</code> or <code>ipv6</code> chain.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of sender</td>
</tr>
<tr>
<td>dstmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of destination</td>
</tr>
<tr>
<td>dstmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of destination</td>
</tr>
<tr>
<td>srcipaddr</td>
<td>IPV6_ADDR</td>
<td>Source IPv6 address</td>
</tr>
<tr>
<td>srcipmask</td>
<td>IPV6_MASK</td>
<td>Mask applied to source IPv6 address</td>
</tr>
<tr>
<td>dstipaddr</td>
<td>IPV6_ADDR</td>
<td>Destination IPv6 address</td>
</tr>
<tr>
<td>dstipmask</td>
<td>IPV6_MASK</td>
<td>Mask applied to destination IPv6 address</td>
</tr>
<tr>
<td>protocol</td>
<td>UINT8</td>
<td>Layer 4 protocol identifier</td>
</tr>
<tr>
<td>srcportstart</td>
<td>UINT16</td>
<td>Start of range of valid source ports; requires <code>protocol</code></td>
</tr>
<tr>
<td>srcportend</td>
<td>UINT16</td>
<td>End of range of valid source ports; requires <code>protocol</code></td>
</tr>
<tr>
<td>dstportstart</td>
<td>UINT16</td>
<td>Start of range of valid destination ports; requires <code>protocol</code></td>
</tr>
<tr>
<td>dstportend</td>
<td>UINT16</td>
<td>End of range of valid destination ports; requires <code>protocol</code></td>
</tr>
<tr>
<td>type<span class="since">(Since 1.2.12)</span></td>
<td>UINT8</td>
<td>ICMPv6 type; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
</tr>
<tr>
<td>typeend<span class="since">(Since 1.2.12)</span></td>
<td>UINT8</td>
<td>ICMPv6 type end of range; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
</tr>
<tr>
<td>code<span class="since">(Since 1.2.12)</span></td>
<td>UINT8</td>
<td>ICMPv6 code; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
</tr>
<tr>
<td>code<span class="since">(Since 1.2.12)</span></td>
<td>UINT8</td>
<td>ICMPv6 code end of range; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
</table>
<p>
Valid strings for <code>protocol</code> are:
tcp, udp, udplite, esp, ah, icmpv6, sctp
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoTCP-ipv4">TCP/UDP/SCTP</a></h5>
<p>
Protocol ID: <code>tcp</code>, <code>udp</code>, <code>sctp</code>
<br/>
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcipaddr</td>
<td>IP_ADDR</td>
<td>Source IP address</td>
</tr>
<tr>
<td>srcipmask</td>
<td>IP_MASK</td>
<td>Mask applied to source IP address</td>
</tr>
<tr>
<td>dstipaddr</td>
<td>IP_ADDR</td>
<td>Destination IP address</td>
</tr>
<tr>
<td>dstipmask</td>
<td>IP_MASK</td>
<td>Mask applied to destination IP address</td>
</tr>
<tr>
<td>srcipfrom</td>
<td>IP_ADDR</td>
<td>Start of range of source IP address</td>
</tr>
<tr>
<td>srcipto</td>
<td>IP_ADDR</td>
<td>End of range of source IP address</td>
</tr>
<tr>
<td>dstipfrom</td>
<td>IP_ADDR</td>
<td>Start of range of destination IP address</td>
</tr>
<tr>
<td>dstipto</td>
<td>IP_ADDR</td>
<td>End of range of destination IP address</td>
</tr>
<tr>
<td>srcportstart</td>
<td>UINT16</td>
<td>Start of range of valid source ports</td>
</tr>
<tr>
<td>srcportend</td>
<td>UINT16</td>
<td>End of range of valid source ports</td>
</tr>
<tr>
<td>dstportstart</td>
<td>UINT16</td>
<td>Start of range of valid destination ports</td>
</tr>
<tr>
<td>dstportend</td>
<td>UINT16</td>
<td>End of range of valid destination ports</td>
</tr>
<tr>
<td>dscp</td>
<td>UINT8 (0x0-0x3f, 0 - 63)</td>
<td>Differentiated Services Code Point</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
<tr>
<td>state <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
</tr>
<tr>
<td>flags <span class="since">(Since 0.9.1)</span></td>
<td>STRING</td>
<td>TCP-only: format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL</td>
</tr>
<tr>
<td>ipset <span class="since">(Since 0.9.13)</span></td>
<td>STRING</td>
<td>The name of an IPSet managed outside of libvirt</td>
</tr>
<tr>
<td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
<td>IPSETFLAGS</td>
<td>flags for the IPSet; requires ipset attribute</td>
</tr>
</table>
<p>
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoICMP">ICMP</a></h5>
<p>
Protocol ID: <code>icmp</code>
<br/>
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of sender</td>
</tr>
<tr>
<td>dstmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of destination</td>
</tr>
<tr>
<td>dstmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of destination</td>
</tr>
<tr>
<td>srcipaddr</td>
<td>IP_ADDR</td>
<td>Source IP address</td>
</tr>
<tr>
<td>srcipmask</td>
<td>IP_MASK</td>
<td>Mask applied to source IP address</td>
</tr>
<tr>
<td>dstipaddr</td>
<td>IP_ADDR</td>
<td>Destination IP address</td>
</tr>
<tr>
<td>dstipmask</td>
<td>IP_MASK</td>
<td>Mask applied to destination IP address</td>
</tr>
<tr>
<td>srcipfrom</td>
<td>IP_ADDR</td>
<td>Start of range of source IP address</td>
</tr>
<tr>
<td>srcipto</td>
<td>IP_ADDR</td>
<td>End of range of source IP address</td>
</tr>
<tr>
<td>dstipfrom</td>
<td>IP_ADDR</td>
<td>Start of range of destination IP address</td>
</tr>
<tr>
<td>dstipto</td>
<td>IP_ADDR</td>
<td>End of range of destination IP address</td>
</tr>
<tr>
<td>type</td>
<td>UINT16</td>
<td>ICMP type</td>
</tr>
<tr>
<td>code</td>
<td>UINT16</td>
<td>ICMP code</td>
</tr>
<tr>
<td>dscp</td>
<td>UINT8 (0x0-0x3f, 0 - 63)</td>
<td>Differentiated Services Code Point</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
<tr>
<td>state <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
</tr>
<tr>
<td>ipset <span class="since">(Since 0.9.13)</span></td>
<td>STRING</td>
<td>The name of an IPSet managed outside of libvirt</td>
</tr>
<tr>
<td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
<td>IPSETFLAGS</td>
<td>flags for the IPSet; requires ipset attribute</td>
</tr>
</table>
<p>
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoMisc">IGMP, ESP, AH, UDPLITE, 'ALL'</a></h5>
<p>
Protocol ID: <code>igmp</code>, <code>esp</code>, <code>ah</code>, <code>udplite</code>, <code>all</code>
<br/>
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of sender</td>
</tr>
<tr>
<td>dstmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of destination</td>
</tr>
<tr>
<td>dstmacmask</td>
<td>MAC_MASK</td>
<td>Mask applied to MAC address of destination</td>
</tr>
<tr>
<td>srcipaddr</td>
<td>IP_ADDR</td>
<td>Source IP address</td>
</tr>
<tr>
<td>srcipmask</td>
<td>IP_MASK</td>
<td>Mask applied to source IP address</td>
</tr>
<tr>
<td>dstipaddr</td>
<td>IP_ADDR</td>
<td>Destination IP address</td>
</tr>
<tr>
<td>dstipmask</td>
<td>IP_MASK</td>
<td>Mask applied to destination IP address</td>
</tr>
<tr>
<td>srcipfrom</td>
<td>IP_ADDR</td>
<td>Start of range of source IP address</td>
</tr>
<tr>
<td>srcipto</td>
<td>IP_ADDR</td>
<td>End of range of source IP address</td>
</tr>
<tr>
<td>dstipfrom</td>
<td>IP_ADDR</td>
<td>Start of range of destination IP address</td>
</tr>
<tr>
<td>dstipto</td>
<td>IP_ADDR</td>
<td>End of range of destination IP address</td>
</tr>
<tr>
<td>dscp</td>
<td>UINT8 (0x0-0x3f, 0 - 63)</td>
<td>Differentiated Services Code Point</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
<tr>
<td>state <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
</tr>
<tr>
<td>ipset <span class="since">(Since 0.9.13)</span></td>
<td>STRING</td>
<td>The name of an IPSet managed outside of libvirt</td>
</tr>
<tr>
<td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
<td>IPSETFLAGS</td>
<td>flags for the IPSet; requires ipset attribute</td>
</tr>
</table>
<p>
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over IPV6</a></h5>
<p>
Protocol ID: <code>tcp-ipv6</code>, <code>udp-ipv6</code>, <code>sctp-ipv6</code>
<br/>
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcipaddr</td>
<td>IPV6_ADDR</td>
<td>Source IP address</td>
</tr>
<tr>
<td>srcipmask</td>
<td>IPV6_MASK</td>
<td>Mask applied to source IP address</td>
</tr>
<tr>
<td>dstipaddr</td>
<td>IPV6_ADDR</td>
<td>Destination IP address</td>
</tr>
<tr>
<td>dstipmask</td>
<td>IPV6_MASK</td>
<td>Mask applied to destination IP address</td>
</tr>
<tr>
<td>srcipfrom</td>
<td>IPV6_ADDR</td>
<td>Start of range of source IP address</td>
</tr>
<tr>
<td>srcipto</td>
<td>IPV6_ADDR</td>
<td>End of range of source IP address</td>
</tr>
<tr>
<td>dstipfrom</td>
<td>IPV6_ADDR</td>
<td>Start of range of destination IP address</td>
</tr>
<tr>
<td>dstipto</td>
<td>IPV6_ADDR</td>
<td>End of range of destination IP address</td>
</tr>
<tr>
<td>srcportstart</td>
<td>UINT16</td>
<td>Start of range of valid source ports</td>
</tr>
<tr>
<td>srcportend</td>
<td>UINT16</td>
<td>End of range of valid source ports</td>
</tr>
<tr>
<td>dstportstart</td>
<td>UINT16</td>
<td>Start of range of valid destination ports</td>
</tr>
<tr>
<td>dstportend</td>
<td>UINT16</td>
<td>End of range of valid destination ports</td>
</tr>
<tr>
<td>dscp</td>
<td>UINT8 (0x0-0x3f, 0 - 63)</td>
<td>Differentiated Services Code Point</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
<tr>
<td>state <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
</tr>
<tr>
<td>flags <span class="since">(Since 0.9.1)</span></td>
<td>STRING</td>
<td>TCP-only: format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL</td>
</tr>
<tr>
<td>ipset <span class="since">(Since 0.9.13)</span></td>
<td>STRING</td>
<td>The name of an IPSet managed outside of libvirt</td>
</tr>
<tr>
<td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
<td>IPSETFLAGS</td>
<td>flags for the IPSet; requires ipset attribute</td>
</tr>
</table>
<p>
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoICMPv6">ICMPv6</a></h5>
<p>
Protocol ID: <code>icmpv6</code>
<br/>
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcipaddr</td>
<td>IPV6_ADDR</td>
<td>Source IPv6 address</td>
</tr>
<tr>
<td>srcipmask</td>
<td>IPV6_MASK</td>
<td>Mask applied to source IPv6 address</td>
</tr>
<tr>
<td>dstipaddr</td>
<td>IPV6_ADDR</td>
<td>Destination IPv6 address</td>
</tr>
<tr>
<td>dstipmask</td>
<td>IPV6_MASK</td>
<td>Mask applied to destination IPv6 address</td>
</tr>
<tr>
<td>srcipfrom</td>
<td>IPV6_ADDR</td>
<td>Start of range of source IP address</td>
</tr>
<tr>
<td>srcipto</td>
<td>IPV6_ADDR</td>
<td>End of range of source IP address</td>
</tr>
<tr>
<td>dstipfrom</td>
<td>IPV6_ADDR</td>
<td>Start of range of destination IP address</td>
</tr>
<tr>
<td>dstipto</td>
<td>IPV6_ADDR</td>
<td>End of range of destination IP address</td>
</tr>
<tr>
<td>type</td>
<td>UINT16</td>
<td>ICMPv6 type</td>
</tr>
<tr>
<td>code</td>
<td>UINT16</td>
<td>ICMPv6 code</td>
</tr>
<tr>
<td>dscp</td>
<td>UINT8 (0x0-0x3f, 0 - 63)</td>
<td>Differentiated Services Code Point</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
<tr>
<td>state <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
</tr>
<tr>
<td>ipset <span class="since">(Since 0.9.13)</span></td>
<td>STRING</td>
<td>The name of an IPSet managed outside of libvirt</td>
</tr>
<tr>
<td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
<td>IPSETFLAGS</td>
<td>flags for the IPSet; requires ipset attribute</td>
</tr>
</table>
<p>
<br/><br/>
</p>
<h5><a id="nwfelemsRulesProtoMiscv6">ESP, AH, UDPLITE, 'ALL' over IPv6</a></h5>
<p>
Protocol ID: <code>esp-ipv6</code>, <code>ah-ipv6</code>, <code>udplite-ipv6</code>, <code>all-ipv6</code>
<br/>
Note: The chain parameter is ignored for this type of traffic
and should either be omitted or set to <code>root</code>.
</p>
<table class="top_table">
<tr>
<th> Attribute </th>
<th> Datatype </th>
<th> Semantics </th>
</tr>
<tr>
<td>srcmacaddr</td>
<td>MAC_ADDR</td>
<td>MAC address of sender</td>
</tr>
<tr>
<td>srcipaddr</td>
<td>IPV6_ADDR</td>
<td>Source IPv6 address</td>
</tr>
<tr>
<td>srcipmask</td>
<td>IPV6_MASK</td>
<td>Mask applied to source IPv6 address</td>
</tr>
<tr>
<td>dstipaddr</td>
<td>IPV6_ADDR</td>
<td>Destination IPv6 address</td>
</tr>
<tr>
<td>dstipmask</td>
<td>IPV6_MASK</td>
<td>Mask applied to destination IPv6 address</td>
</tr>
<tr>
<td>srcipfrom</td>
<td>IPV6_ADDR</td>
<td>Start of range of source IP address</td>
</tr>
<tr>
<td>srcipto</td>
<td>IPV6_ADDR</td>
<td>End of range of source IP address</td>
</tr>
<tr>
<td>dstipfrom</td>
<td>IPV6_ADDR</td>
<td>Start of range of destination IP address</td>
</tr>
<tr>
<td>dstipto</td>
<td>IPV6_ADDR</td>
<td>End of range of destination IP address</td>
</tr>
<tr>
<td>dscp</td>
<td>UINT8 (0x0-0x3f, 0 - 63)</td>
<td>Differentiated Services Code Point</td>
</tr>
<tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
</tr>
<tr>
<td>state <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
</tr>
<tr>
<td>ipset <span class="since">(Since 0.9.13)</span></td>
<td>STRING</td>
<td>The name of an IPSet managed outside of libvirt</td>
</tr>
<tr>
<td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
<td>IPSETFLAGS</td>
<td>flags for the IPSet; requires ipset attribute</td>
</tr>
</table>
<p>
<br/><br/>
</p>
<h3><a id="nwfelemsRulesAdv">Advanced Filter Configuration Topics</a></h3>
<p>
The following sections discuss advanced filter configuration
topics.
</p>
<h4><a id="nwfelemsRulesAdvTracking">Connection tracking</a></h4>
<p>
The network filtering subsystem (on Linux) makes use of the connection
tracking support of iptables. This helps in enforcing the
directionality of network traffic (state match) as well as
counting and limiting the number of simultaneous connections towards
a VM. As an example, if a VM has TCP port 8080
open as a server, clients may connect to the VM on port 8080.
Connection tracking and enforcement of directionality then prevents
the VM from initiating a connection from
(TCP client) port 8080 to the host back to a remote host.
More importantly, tracking helps to prevent
remote attackers from establishing a connection back to a VM. For example,
if the user inside the VM established a connection to
port 80 on an attacker site, then the attacker will not be able to
initiate a connection from TCP port 80 back towards the VM.
By default the connection state match that enables connection tracking
and then enforcement of directionality of traffic is turned on. <br/>
The following shows an example XML fragment where this feature has been
turned off for incoming connections to TCP port 12345.
</p>
<pre>
[...]
&lt;rule direction='in' action='accept' statematch='false'&gt;
&lt;tcp dstportstart='12345'/&gt;
&lt;/rule&gt;
[...]
</pre>
<p>
This now allows incoming traffic to TCP port 12345, but would also
enable the initiation from (client) TCP port 12345 within the VM,
which may or may not be desirable.
</p>
<h4><a id="nwfelemsRulesAdvLimiting">Limiting Number of Connections</a></h4>
<p>
To limit the number of connections a VM may establish, a rule must
be provided that sets a limit of connections for a given
type of traffic. If for example a VM
is supposed to be allowed to only ping one other IP address at a time
and is supposed to have only one active incoming ssh connection at a
time, the following XML fragment can be used to achieve this.
</p>
<pre>
[...]
&lt;rule action='drop' direction='in' priority='400'&gt;
&lt;tcp connlimit-above='1'/&gt;
&lt;/rule&gt;
&lt;rule action='accept' direction='in' priority='500'&gt;
&lt;tcp dstportstart='22'/&gt;
&lt;/rule&gt;
&lt;rule action='drop' direction='out' priority='400'&gt;
&lt;icmp connlimit-above='1'/&gt;
&lt;/rule&gt;
&lt;rule action='accept' direction='out' priority='500'&gt;
&lt;icmp/&gt;
&lt;/rule&gt;
&lt;rule action='accept' direction='out' priority='500'&gt;
&lt;udp dstportstart='53'/&gt;
&lt;/rule&gt;
&lt;rule action='drop' direction='inout' priority='1000'&gt;
&lt;all/&gt;
&lt;/rule&gt;
[...]
</pre>
<p>
Note that the rule for the limit has to logically appear
before the rule for accepting the traffic.<br/>
An additional rule for letting DNS traffic to port 22
go out the VM has been added to avoid ssh sessions not
getting established for reasons related to DNS lookup failures
by the ssh daemon. Leaving this rule out may otherwise lead to
fun-filled debugging joy (symptom: ssh client seems to hang
while trying to connect).
<br/><br/>
Lot of care must be taken with timeouts related
to tracking of traffic. An ICMP ping that
the user may have terminated inside the VM may have a long
timeout in the host's connection tracking system and therefore
not allow another ICMP ping to go through for a while. Therefore,
the timeouts have to be tuned in the host's sysfs, i.e.,
</p>
<pre>
echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
</pre>
<p>
sets the ICMP connection tracking timeout to 3 seconds. The
effect of this is that once one ping is terminated, another
one can start after 3 seconds.<br/>
Further, we want to point out that a client that for whatever
reason has not properly closed a TCP connection may cause a
connection to be held open for a longer period of time,
depending to what timeout the <code>TCP established</code> state
timeout has been set to on the host. Also, idle connections may time
out in the connection tracking system but can be reactivated once
packets are exchanged. However, a newly initiated connection may force
an idle connection into TCP backoff if the number of allowed connections
is set to a too low limit, the new connection is established
and hits (not exceeds) the limit of allowed connections and for
example a key is pressed on the old ssh session, which now has become
unresponsive due to its traffic being dropped.
Therefore, the limit of connections should be rather high so that
fluctuations in new TCP connections don't cause odd
traffic behavior in relation to idle connections.
</p>
<h2><a id="nwfcli">Command line tools</a></h2>
<p>
The libvirt command line tool <code>virsh</code> has been extended
with life-cycle support for network filters. All commands related
to the network filtering subsystem start with the prefix
<code>nwfilter</code>. The following commands are available:
</p>
<ul>
<li>nwfilter-list : list UUIDs and names of all network filters</li>
<li>nwfilter-define : define a new network filter or update an existing one</li>
<li>nwfilter-undefine : delete a network filter given its name; it must not be currently in use</li>
<li>nwfilter-dumpxml : display a network filter given its name</li>
<li>nwfilter-edit : edit a network filter given its name</li>
</ul>
<h2><a id="nwfexamples">Pre-existing network filters</a></h2>
<p>
The following is a list of example network filters that are
automatically installed with libvirt.</p>
<table class="top_table">
<tr>
<th> Name </th>
<th> Description </th>
</tr>
<tr>
<td> no-arp-spoofing </td>
<td> Prevent a VM from spoofing ARP traffic; this filter
only allows ARP request and reply messages and enforces
that those packets contain the MAC and IP addresses
of the VM.</td>
</tr>
<tr>
<td> allow-arp </td>
<td> Allow ARP traffic in both directions</td>
</tr>
<tr>
<td> allow-ipv4 </td>
<td> Allow IPv4 traffic in both directions</td>
</tr>
<tr>
<td> allow-ipv6 </td>
<td> Allow IPv6 traffic in both directions</td>
</tr>
<tr>
<td> allow-incoming-ipv4 </td>
<td> Allow incoming IPv4 traffic</td>
</tr>
<tr>
<td> allow-incoming-ipv6 </td>
<td> Allow incoming IPv6 traffic</td>
</tr>
<tr>
<td> allow-dhcp </td>
<td> Allow a VM to request an IP address via DHCP (from any
DHCP server)</td>
</tr>
<tr>
<td> allow-dhcpv6 </td>
<td> Similar to allow-dhcp, but for DHCPv6 </td>
</tr>
<tr>
<td> allow-dhcp-server </td>
<td> Allow a VM to request an IP address from a specified
DHCP server. The dotted decimal IP address of the DHCP
server must be provided in a reference to this filter.
The name of the variable must be <i>DHCPSERVER</i>.</td>
</tr>
<tr>
<td> allow-dhcpv6-server </td>
<td> Similar to allow-dhcp-server, but for DHCPv6 </td>
</tr>
<tr>
<td> no-ip-spoofing </td>
<td> Prevent a VM from sending of IPv4 packets with
a source IP address different from the one
in the packet. </td>
</tr>
<tr>
<td> no-ipv6-spoofing </td>
<td> Similar to no-ip-spoofing, but for IPv6 </td>
</tr>
<tr>
<td> no-ip-multicast </td>
<td> Prevent a VM from sending IP multicast packets. </td>
</tr>
<tr>
<td> no-ipv6-multicast </td>
<td> Similar to no-ip-multicast, but for IPv6 </td>
</tr>
<tr>
<td> clean-traffic </td>
<td> Prevent MAC, IP and ARP spoofing. This filter references
several other filters as building blocks. </td>
</tr>
</table>
<p>
Note that most of the above filters are only building blocks and
require a combination with other filters to provide useful network
traffic filtering.
The most useful one in the above list is the <i>clean-traffic</i>
filter. This filter itself can for example be combined with the
<i>no-ip-multicast</i>
filter to prevent virtual machines from sending IP multicast traffic
on top of the prevention of packet spoofing.
</p>
<h2><a id="nwfwrite">Writing your own filters</a></h2>
<p>
Since libvirt only provides a couple of example networking filters, you
may consider writing your own. When planning on doing so
there are a couple of things
you may need to know regarding the network filtering subsystem and how
it works internally. Certainly you also have to know and understand
the protocols very well that you want to be filtering on so that
no further traffic than what you want can pass and that in fact the
traffic you want to allow does pass.
<br/><br/>
The network filtering subsystem is currently only available on
Linux hosts and only works for QEMU and KVM type of virtual machines.
On Linux
it builds upon the support for <code>ebtables</code>, <code>iptables
</code> and <code>ip6tables</code> and makes use of their features.
From the above list of supported protocols the following ones are
implemented using <code>ebtables</code>:
</p>
<ul>
<li>mac</li>
<li>stp (spanning tree protocol)</li>
<li>vlan (802.1Q)</li>
<li>arp, rarp</li>
<li>ipv4</li>
<li>ipv6</li>
</ul>
<p>
All other protocols over IPv4 are supported using iptables, those over
IPv6 are implemented using ip6tables.
<br/><br/>
On a Linux host, all traffic filtering instantiated by libvirt's network
filter subsystem first passes through the filtering support implemented
by ebtables and only then through iptables or ip6tables filters. If
a filter tree has rules with the protocols <code>mac</code>,
<code>stp</code>, <code>vlan</code>
<code>arp</code>, <code>rarp</code>, <code>ipv4</code>,
or <code>ipv6</code> ebtables rules will automatically be instantiated.
<br/>
The role of the <code>chain</code> attribute in the network filter
XML is that internally a new user-defined ebtables table is created
that then for example receives all <code>arp</code> traffic coming
from or going to a virtual machine if the chain <code>arp</code>
has been specified. Further, a rule is generated in an interface's
<code>root</code> chain that directs all ipv4 traffic into the
user-defined chain. Therefore, all ARP traffic rules should then be
placed into filters specifying this chain. This type of branching
into user-defined tables is only supported with filtering on the ebtables
layer.
<br/>
<span class="since">Since 0.9.8</span> multiple chains for the same
protocol can be created. For this the name of the chain must have
a prefix of one of the previously enumerated protocols. To create an
additional chain for handling of ARP traffic, a chain with name
<code>arp-test</code> can be specified.
<br/>
As an example, it is
possible to filter on UDP traffic by source and destination ports using
the <code>ip</code> protocol filter and specifying attributes for the
protocol, source and destination IP addresses and ports of UDP packets
that are to be accepted. This allows
early filtering of UDP traffic with ebtables. However, once an IP or IPv6
packet, such as a UDP packet,
has passed the ebtables layer and there is at least one rule in a filter
tree that instantiates iptables or ip6tables rules, a rule to let
the UDP packet pass will also be necessary to be provided for those
filtering layers. This can be
achieved with a rule containing an appropriate <code>udp</code> or
<code>udp-ipv6</code> traffic filtering node.
</p>
<h3><a id="nwfwriteexample">Example custom filter</a></h3>
<p>
As an example we want to now build a filter that fulfills the following
list of requirements:
</p>
<ul>
<li>prevents a VM's interface from MAC, IP and ARP spoofing</li>
<li>opens only TCP ports 22 and 80 of a VM's interface</li>
<li>allows the VM to send ping traffic from an interface
but not let the VM be pinged on the interface</li>
<li>allows the VM to do DNS lookups (UDP towards port 53)</li>
</ul>
<p>
The requirement to prevent spoofing is fulfilled by the existing
<code>clean-traffic</code> network filter, thus we will reference this
filter from our custom filter.
<br/>
To enable traffic for TCP ports 22 and 80 we will add 2 rules to
enable this type of traffic. To allow the VM to send ping traffic
we will add a rule for ICMP traffic. For simplicity reasons
we allow general ICMP traffic to be initiated from the VM, not
just ICMP echo request and response messages. To then
disallow all other traffic to reach or be initiated by the
VM we will then need to add a rule that drops all other traffic.
Assuming our VM is called <i>test</i> and
the interface we want to associate our filter with is called <i>eth0</i>,
we name our filter <i>test-eth0</i>.
The result of these considerations is the following network filter XML:
</p>
<pre>
&lt;filter name='test-eth0'&gt;
&lt;!-- reference the clean traffic filter to prevent
MAC, IP and ARP spoofing. By not providing
and IP address parameter, libvirt will detect the
IP address the VM is using. --&gt;
&lt;filterref filter='clean-traffic'/&gt;
&lt;!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable --&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;tcp dstportstart='22'/&gt;
&lt;/rule&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;tcp dstportstart='80'/&gt;
&lt;/rule&gt;
&lt;!-- enable general ICMP traffic to be initiated by the VM;
this includes ping traffic --&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;icmp/&gt;
&lt;/rule&gt;
&lt;!-- enable outgoing DNS lookups using UDP --&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;udp dstportstart='53'/&gt;
&lt;/rule&gt;
&lt;!-- drop all other traffic --&gt;
&lt;rule action='drop' direction='inout'&gt;
&lt;all/&gt;
&lt;/rule&gt;
&lt;/filter&gt;
</pre>
<p>
Note that none of the rules in the above XML contain the
IP address of the VM as either source or destination address, yet
the filtering of the traffic works correctly. The reason is that
the evaluation of the rules internally happens on a
per-interface basis and the rules are evaluated based on the knowledge
about which (tap) interface has sent or will receive the packet rather
than what their source or destination IP address may be.
<br/><br/>
An XML fragment for a possible network interface description inside
the domain XML of the <code>test</code> VM could then look like this:
</p>
<pre>
[...]
&lt;interface type='bridge'&gt;
&lt;source bridge='mybridge'/&gt;
&lt;filterref filter='test-eth0'/&gt;
&lt;/interface&gt;
[...]
</pre>
<p>
To more strictly control the ICMP traffic and enforce that only
ICMP echo requests can be sent from the VM
and only ICMP echo responses be received by the VM, the above
<code>ICMP</code> rule can be replaced with the following two rules:
</p>
<pre>
&lt;!-- enable outgoing ICMP echo requests--&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;icmp type='8'/&gt;
&lt;/rule&gt;
&lt;!-- enable incoming ICMP echo replies--&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;icmp type='0'/&gt;
&lt;/rule&gt;
</pre>
<h3><a id="nwfwriteexample2nd">Second example custom filter</a></h3>
<p>
In this example we now want to build a similar filter as in the
example above, but extend the list of requirements with an
ftp server located inside the VM. Further, we will be using features
that have been added in <span class="since">version 0.8.5</span>.
The requirements for this filter are:
</p>
<ul>
<li>prevents a VM's interface from MAC, IP and ARP spoofing</li>
<li>opens only TCP ports 22 and 80 of a VM's interface</li>
<li>allows the VM to send ping traffic from an interface
but not let the VM be pinged on the interface</li>
<li>allows the VM to do DNS lookups (UDP towards port 53)</li>
<li>enable an ftp server (in active mode) to be run inside the VM</li>
</ul>
<p>
The additional requirement of allowing an ftp server to be run inside
the VM maps into the requirement of allowing port 21 to be reachable
for ftp control traffic as well as enabling the VM to establish an
outgoing tcp connection originating from the VM's TCP port 20 back to
the ftp client (ftp active mode). There are several ways of how this
filter can be written and we present 2 solutions.
<br/><br/>
The 1st solution makes use of the <code>state</code> attribute of
the TCP protocol that gives us a hook into the connection tracking
framework of the Linux host. For the VM-initiated ftp data connection
(ftp active mode) we use the <code>RELATED</code> state that allows
us to detect that the VM-initiated ftp data connection is a consequence of
( or 'has a relationship with' ) an existing ftp control connection,
thus we want to allow it to let packets
pass the firewall. The <code>RELATED</code> state, however, is only
valid for the very first packet of the outgoing TCP connection for the
ftp data path. Afterwards, the state to compare against is
<code>ESTABLISHED</code>, which then applies equally
to the incoming and outgoing direction. All this is related to the ftp
data traffic originating from TCP port 20 of the VM. This then leads to
the following solution
<span class="since">(since 0.8.5 (QEMU, KVM))</span>:
</p>
<pre>
&lt;filter name='test-eth0'&gt;
&lt;!-- reference the clean traffic filter to prevent
MAC, IP and ARP spoofing. By not providing
and IP address parameter, libvirt will detect the
IP address the VM is using. --&gt;
&lt;filterref filter='clean-traffic'/&gt;
&lt;!-- enable TCP port 21 (ftp-control) to be reachable --&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;tcp dstportstart='21'/&gt;
&lt;/rule&gt;
&lt;!-- enable TCP port 20 for VM-initiated ftp data connection
related to an existing ftp control connection --&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;tcp srcportstart='20' state='RELATED,ESTABLISHED'/&gt;
&lt;/rule&gt;
&lt;!-- accept all packets from client on the ftp data connection --&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;tcp dstportstart='20' state='ESTABLISHED'/&gt;
&lt;/rule&gt;
&lt;!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable --&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;tcp dstportstart='22'/&gt;
&lt;/rule&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;tcp dstportstart='80'/&gt;
&lt;/rule&gt;
&lt;!-- enable general ICMP traffic to be initiated by the VM;
this includes ping traffic --&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;icmp/&gt;
&lt;/rule&gt;
&lt;!-- enable outgoing DNS lookups using UDP --&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;udp dstportstart='53'/&gt;
&lt;/rule&gt;
&lt;!-- drop all other traffic --&gt;
&lt;rule action='drop' direction='inout'&gt;
&lt;all/&gt;
&lt;/rule&gt;
&lt;/filter&gt;
</pre>
<p>
Before trying out a filter using the <code>RELATED</code> state,
you have to make sure that the appropriate connection tracking module
has been loaded into the host's kernel. Depending on the version of the
kernel, you must run either one of the following two commands before
the ftp connection with the VM is established.
</p>
<pre>
modprobe nf_conntrack_ftp # where available or
modprobe ip_conntrack_ftp # if above is not available
</pre>
<p>
If other protocols than ftp are to be used in conjunction with the
<code>RELATED</code> state, their corresponding module must be loaded.
Modules exist at least for the protocols ftp, tftp, irc, sip,
sctp, and amanda.
</p>
<p>
The 2nd solution makes uses the state flags of connections more
than the previous solution did.
In this solution we take advantage of the fact that the
<code>NEW</code> state of a connection is valid when the very
first packet of a traffic flow is seen. Subsequently, if the very first
packet of a flow is accepted, the flow becomes a connection and enters
the <code>ESTABLISHED</code> state. This allows us to write a general
rule for allowing packets of <code>ESTABLISHED</code> connections to
reach the VM or be sent by the VM.
We write specific rules for the very first packets identified by the
<code>NEW</code> state and for which ports they are acceptable. All
packets for ports that are not explicitly accepted will be dropped and
therefore the connection will not go into the <code>ESTABLISHED</code>
state and any subsequent packets be dropped.
</p>
<pre>
&lt;filter name='test-eth0'&gt;
&lt;!-- reference the clean traffic filter to prevent
MAC, IP and ARP spoofing. By not providing
and IP address parameter, libvirt will detect the
IP address the VM is using. --&gt;
&lt;filterref filter='clean-traffic'/&gt;
&lt;!-- let the packets of all previously accepted connections reach the VM --&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;all state='ESTABLISHED'/&gt;
&lt;/rule&gt;
&lt;!-- let the packets of all previously accepted and related connections be sent from the VM --&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;all state='ESTABLISHED,RELATED'/&gt;
&lt;/rule&gt;
&lt;!-- enable traffic towards port 21 (ftp), 22 (ssh) and 80 (http) --&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;tcp dstportstart='21' dstportend='22' state='NEW'/&gt;
&lt;/rule&gt;
&lt;rule action='accept' direction='in'&gt;
&lt;tcp dstportstart='80' state='NEW'/&gt;
&lt;/rule&gt;
&lt;!-- enable general ICMP traffic to be initiated by the VM;
this includes ping traffic --&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;icmp state='NEW'/&gt;
&lt;/rule&gt;
&lt;!-- enable outgoing DNS lookups using UDP --&gt;
&lt;rule action='accept' direction='out'&gt;
&lt;udp dstportstart='53' state='NEW'/&gt;
&lt;/rule&gt;
&lt;!-- drop all other traffic --&gt;
&lt;rule action='drop' direction='inout'&gt;
&lt;all/&gt;
&lt;/rule&gt;
&lt;/filter&gt;
</pre>
<h2><a id="nwflimits">Limitations</a></h2>
<p>
The following sections list (current) limitations of the network
filtering subsystem.
</p>
<h3><a id="nwflimitsmigr">VM Migration</a></h3>
<p>
VM migration is only supported if the whole filter tree
that is referenced by a virtual machine's top level filter
is also available on the target host. The network filter
<i>clean-traffic</i>
for example should be available on all libvirt installations
of version 0.8.1 or later and thus enable migration of VMs that
for example reference this filter. All other
custom filters must be migrated using higher layer software. It is
outside the scope of libvirt to ensure that referenced filters
on the source system are equivalent to those on the target system
and vice versa.
<br/><br/>
Migration must occur between libvirt installations of version
0.8.1 or later in order not to lose the network traffic filters
associated with an interface.
</p>
<h3><a id="nwflimitsvlan">VLAN filtering on Linux</a></h3>
<p>
VLAN (802.1Q) packets, if sent by a virtual machine, cannot be filtered
with rules for protocol IDs <code>arp</code>, <code>rarp</code>,
<code>ipv4</code> and <code>ipv6</code> but only
with protocol IDs <code>mac</code> and <code>vlan</code>. Therefore,
the example filter <code>clean-traffic</code> will not work as expected.
</p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink