Re: [Xense-devel] cannot filter on vif* interfaces using iptables?

[Reiner Sailer <sailer@xxxxxxxxxx>]

Hi Claudio,

I am currently writing IP tables filters
to enfoce the Xen mandatory access control framework on network packets
in any of the Xen networking options (bridge, routing, nat). Physdev seems
to work for me in Xen bridging mode. See below.

> Everything works fine except that it looks like the kernel does not
> know the virtual interface a packet comes from anywhere iptables
> gets a hold of them (if I log the packets I either see eth1 and eth0,
> or one of the interfaces has no name, I never see vif*). I am using
> kernel 2.6.16.13-xen0 compiled from the XEN source (latest development
> branch as of two weeks ago).
> 
> As suggested by Gerd a few weeks ago I set CONFIG_BRIDGE_NETFILTER=y
> and CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y but even then the logs just
look
> like this no matter into which table I insert the LOG option: 

Your rules do not show the PHYSEV matching
rules. Compiling the filter is not enough. In briding mode, the following
rules work fine to accept all packets from vif0.2 to vif0.3:

/sbin/iptables -A FORWARD -m physdev
--physdev-in vif0.2 --physdev-out vif0.3 -j ACCEPT
/sbin/iptables -A FORWARD -m physdev
--physdev-in vif0.3 --physdev-out vif0.2 -j ACCEPT

> 
> Any hints on how to insert a rule that would drop all packets from
a
> certain virtual 
> interface greatly appreciated! I.e. something like
> 
> -A RH-Firewall-1-INPUT -i vif2.0 --dport 80 -j DROP
>
> Thanks, Claudio
> 

The following should work to drop packets
on vif02:
/sbin/iptables -A INPUT -m physdev --physdev-in
vif0.2 -j DROP

The -i and -o iptables options work
ONLY on routed packets. The --physdev-xx options work in Xen bridging mode.

Does this help?

Reiner
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel