backup: Wire up qemu full pull backup commands over QMP
[libvirt/ericb.git] / docs / formatnwfilter.html.in
blob796c16549db7875bf787d27405e1676f1e670e38
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html>
3 <html xmlns="http://www.w3.org/1999/xhtml">
4 <body>
5 <h1>Network Filters</h1>
7 <ul id="toc">
8 </ul>
10 <p>
11 This page provides an introduction to libvirt's network filters,
12 their goals, concepts and XML format.
13 </p>
15 <h2><a id="goals">Goals and background</a></h2>
17 <p>
18 The goal of the network filtering XML is to enable administrators
19 of a virtualized system to configure and enforce network traffic
20 filtering rules on virtual
21 machines and manage the parameters of network traffic that
22 virtual machines
23 are allowed to send or receive.
24 The network traffic filtering rules are
25 applied on the host when a virtual machine is started. Since the
26 filtering rules
27 cannot be circumvented from within
28 the virtual machine, it makes them mandatory from the point of
29 view of a virtual machine user.
30 <br/><br/>
31 The network filter subsystem allows each virtual machine's network
32 traffic filtering rules to be configured individually on a per
33 interface basis. The rules are
34 applied on the host when the virtual machine is started and can be modified
35 while the virtual machine is running. The latter can be achieved by
36 modifying the XML description of a network filter.
37 <br/><br/>
38 Multiple virtual machines can make use of the same generic network filter.
39 When such a filter is modified, the network traffic filtering rules
40 of all running virtual machines that reference this filter are updated.
41 <br/><br/>
42 Network filtering support is available <span class="since">since 0.8.1
43 (QEMU, KVM)</span>
44 </p>
46 <h2><a id="nwfconcepts">Concepts</a></h2>
47 <p>
48 The network traffic filtering subsystem enables configuration
49 of network traffic filtering rules on individual network
50 interfaces that are configured for certain types of
51 network configurations. Supported network types are
52 </p>
53 <ul>
54 <li><code>network</code></li>
55 <li><code>ethernet</code> -- must be used in bridging mode</li>
56 <li><code>bridge</code></li>
57 </ul>
58 <p>
59 The interface XML is used to reference a top-level filter. In the
60 following example, the interface description references
61 the filter <code>clean-traffic</code>.
62 </p>
63 <pre>
64 ...
65 &lt;devices&gt;
66 &lt;interface type='bridge'&gt;
67 &lt;mac address='00:16:3e:5d:c7:9e'/&gt;
68 &lt;filterref filter='clean-traffic'/&gt;
69 &lt;/interface&gt;
70 &lt;/devices&gt;
71 ...</pre>
73 <p>
74 Network filters are written in XML and may either contain references
75 to other filters, contain rules for traffic filtering, or
76 hold a combination of both. The above referenced filter
77 <code>clean-traffic </code> is a filter that only contains references to
78 other filters and no actual filtering rules. Since references to
79 other filters can be used, a <i>tree</i> of filters can be built.
80 The <code>clean-traffic</code> filter can be viewed using the
81 command <code>virsh nwfilter-dumpxml clean-traffic</code>.
82 <br/><br/>
83 As previously mentioned, a single network filter can be referenced
84 by multiple virtual machines. Since interfaces will typically
85 have individual parameters associated with their respective traffic
86 filtering rules, the rules described in a filter XML can
87 be parameterized with variables. In this case, the variable name
88 is used in the filter XML and the name and value are provided at the
89 place where the filter is referenced. In the
90 following example, the interface description has been extended with
91 the parameter <code>IP</code> and a dotted IP address as value.
92 </p>
93 <pre>
94 ...
95 &lt;devices&gt;
96 &lt;interface type='bridge'&gt;
97 &lt;mac address='00:16:3e:5d:c7:9e'/&gt;
98 &lt;filterref filter='clean-traffic'&gt;
99 &lt;parameter name='IP' value='10.0.0.1'/&gt;
100 &lt;/filterref&gt;
101 &lt;/interface&gt;
102 &lt;/devices&gt;
103 ...</pre>
106 In this particular example, the <code>clean-traffic</code> network
107 traffic filter will be instantiated with the IP address parameter
108 10.0.0.1 and enforce that the traffic from this interface will
109 always be using 10.0.0.1 as the source IP address, which is
110 one of the purposes of this particular filter.
111 <br/><br/>
112 </p>
114 <h3><a id="nwfconceptschains">Filtering chains</a></h3>
116 Filtering rules are organized in filter chains. These chains can be
117 thought of as having a tree structure with packet
118 filtering rules as entries in individual chains (branches). <br/>
119 Packets start their filter evaluation in the <code>root</code> chain
120 and can then continue their evaluation in other chains, return from
121 those chains back into the <code>root</code> chain or be
122 dropped or accepted by a filtering rule in one of the traversed chains.
123 <br/>
124 Libvirt's network filtering system automatically creates individual
125 <code>root</code> chains for every virtual machine's network interface
126 on which the user chooses to activate traffic filtering.
127 The user may write filtering rules that are either directly instantiated
128 in the <code>root</code> chain or may create protocol-specific
129 filtering chains for efficient evaluation of protocol-specific rules.
130 The following chains exist:
131 </p>
132 <ul>
133 <li>root</li>
134 <li>mac <span class="since">(since 0.9.8)</span></li>
135 <li>stp (spanning tree protocol)
136 <span class="since">(since 0.9.8)</span></li>
137 <li>vlan (802.1Q) <span class="since">(since 0.9.8)</span></li>
138 <li>arp, rarp</li>
139 <li>ipv4</li>
140 <li>ipv6</li>
141 </ul>
143 <span class="since">Since 0.9.8</span> multiple chains evaluating the
144 <code>mac</code>, <code>stp</code>, <code>vlan</code>,
145 <code>arp</code>, <code>rarp</code>, <code>ipv4</code>, or
146 <code>ipv6</code> protocol can be created using
147 the protocol name only as a prefix in the chain's name. This for
148 examples allows chains with names <code>arp-xyz</code> or
149 <code>arp-test</code> to be specified and have ARP protocol packets
150 evaluated in those chains.
151 <br/><br/>
152 The following filter shows an example of filtering ARP traffic
153 in the <code>arp</code> chain.
154 </p>
155 <pre>
156 &lt;filter name='no-arp-spoofing' chain='arp' priority='-500'&gt;
157 &lt;uuid&gt;f88f1932-debf-4aa1-9fbe-f10d3aa4bc95&lt;/uuid&gt;
158 &lt;rule action='drop' direction='out' priority='300'&gt;
159 &lt;mac match='no' srcmacaddr='$MAC'/&gt;
160 &lt;/rule&gt;
161 &lt;rule action='drop' direction='out' priority='350'&gt;
162 &lt;arp match='no' arpsrcmacaddr='$MAC'/&gt;
163 &lt;/rule&gt;
164 &lt;rule action='drop' direction='out' priority='400'&gt;
165 &lt;arp match='no' arpsrcipaddr='$IP'/&gt;
166 &lt;/rule&gt;
167 &lt;rule action='drop' direction='in' priority='450'&gt;
168 &lt;arp opcode='Reply'/&gt;
169 &lt;arp match='no' arpdstmacaddr='$MAC'/&gt;
170 &lt;/rule&gt;
171 &lt;rule action='drop' direction='in' priority='500'&gt;
172 &lt;arp match='no' arpdstipaddr='$IP'/&gt;
173 &lt;/rule&gt;
174 &lt;rule action='accept' direction='inout' priority='600'&gt;
175 &lt;arp opcode='Request'/&gt;
176 &lt;/rule&gt;
177 &lt;rule action='accept' direction='inout' priority='650'&gt;
178 &lt;arp opcode='Reply'/&gt;
179 &lt;/rule&gt;
180 &lt;rule action='drop' direction='inout' priority='1000'/&gt;
181 &lt;/filter&gt;
182 </pre>
184 The consequence of putting ARP-specific rules in the <code>arp</code>
185 chain, rather than for example in the <code>root</code> chain, is that
186 packets for any other protocol than ARP do not need to be evaluated by
187 ARP protocol-specific rules. This improves the efficiency
188 of the traffic filtering. However, one must then pay attention to only
189 put filtering rules for the given protocol into the chain since
190 any other rules will not be evaluated, i.e., an IPv4 rule will not
191 be evaluated in the ARP chain since no IPv4 protocol packets will
192 traverse the ARP chain.
193 <br/><br/>
194 </p>
195 <h3><a id="nwfconceptschainpriorities">Filtering chain priorities</a></h3>
197 All chains are connected to the <code>root</code> chain. The order in
198 which those chains are accessed is influenced by the priority of the
199 chain. The following table shows the chains that can be assigned a
200 priority and their default priorities.
201 </p>
202 <table class="top_table">
203 <tr>
204 <th> Chain (prefix) </th>
205 <th> Default priority </th>
206 </tr>
207 <tr>
208 <td>stp</td><td>-810</td>
209 </tr>
210 <tr>
211 <td>mac</td><td>-800</td>
212 </tr>
213 <tr>
214 <td>vlan</td><td>-750</td>
215 </tr>
216 <tr>
217 <td>ipv4</td><td>-700</td>
218 </tr>
219 <tr>
220 <td>ipv6</td><td>-600</td>
221 </tr>
222 <tr>
223 <td>arp</td><td>-500</td>
224 </tr>
225 <tr>
226 <td>rarp</td><td>-400</td>
227 </tr>
228 </table>
230 A chain with a lower priority value is accessed before one with a
231 higher value.
232 <br/>
233 <span class="since">Since 0.9.8</span> the above listed chains
234 can be assigned custom priorities by writing a value in the
235 range [-1000, 1000] into the priority (XML) attribute in the filter
236 node. The above example filter shows the default priority of -500
237 for <code>arp</code> chains.
238 </p>
239 <h3><a id="nwfconceptsvars">Usage of variables in filters</a></h3>
242 Two variables names have so far been reserved for usage by the
243 network traffic filtering subsystem: <code>MAC</code> and
244 <code>IP</code>.
245 <br/><br/>
246 <code>MAC</code> is the MAC address of the
247 network interface. A filtering rule that references this variable
248 will automatically be instantiated with the MAC address of the
249 interface. This works without the user having to explicitly provide
250 the MAC parameter. Even though it is possible to specify the MAC
251 parameter similar to the IP parameter above, it is discouraged
252 since libvirt knows what MAC address an interface will be using.
253 <br/><br/>
254 The parameter <code>IP</code> represents the IP address
255 that the operating system inside the virtual machine is expected
256 to use on the given interface. The <code>IP</code> parameter
257 is special in so far as the libvirt daemon will try to determine
258 the IP address (and thus the IP parameter's value) that is being
259 used on an interface if the parameter
260 is not explicitly provided but referenced.
261 For current limitations on IP address detection, consult the
262 <a href="#nwflimits">section on limitations</a> on how to use this
263 feature and what to expect when using it.
264 <br/><br/>
265 The above-shown network filer <code>no-arp-spoofing</code>
266 is an example of
267 a network filter XML referencing the <code>MAC</code> and
268 <code>IP</code> variables.
269 <br/><br/>
270 Note that referenced variables are always prefixed with the
271 $ (dollar) sign. The format of the value of a variable
272 must be of the type expected by the filter attribute in the
273 XML. In the above example, the <code>IP</code> parameter
274 must hold a dotted IP address in decimal numbers format.
275 Failure to provide the correct
276 value type will result in the filter not being instantiatable
277 and will prevent a virtual machine from starting or the
278 interface from attaching when hotplugging is used. The types
279 that are expected for each XML attribute are shown
280 below.
281 <br/><br/>
282 <span class="since">Since 0.9.8</span> variables can contain lists of
283 elements, e.g., the variable <code>IP</code> can contain multiple IP
284 addresses that are valid on a particular interface. The notation for
285 providing multiple elements for the IP variable is:
286 </p>
287 <pre>
289 &lt;devices&gt;
290 &lt;interface type='bridge'&gt;
291 &lt;mac address='00:16:3e:5d:c7:9e'/&gt;
292 &lt;filterref filter='clean-traffic'&gt;
293 &lt;parameter name='IP' value='10.0.0.1'/&gt;
294 &lt;parameter name='IP' value='10.0.0.2'/&gt;
295 &lt;parameter name='IP' value='10.0.0.3'/&gt;
296 &lt;/filterref&gt;
297 &lt;/interface&gt;
298 &lt;/devices&gt;
299 ...</pre>
301 This then allows filters to enable multiple IP addresses
302 per interface. Therefore, with the list
303 of IP address shown above, the following rule will create 3
304 individual filtering rules, one for each IP address.
305 </p>
306 <pre>
308 &lt;rule action='accept' direction='in' priority='500'&gt;
309 &lt;tcp srpipaddr='$IP'/&gt;
310 &lt;/rule&gt;
312 </pre>
314 <span class="since">Since 0.9.10</span> it is possible to access
315 individual elements of a variable holding a list of elements.
316 A filtering rule like the following accesses the 2nd element
317 of the variable DSTPORTS.
318 </p>
319 <pre>
321 &lt;rule action='accept' direction='in' priority='500'&gt;
322 &lt;udp dstportstart='$DSTPORTS[1]'/&gt;
323 &lt;/rule&gt;
325 </pre>
327 <span class="since">Since 0.9.10</span> it is possible to create
328 filtering rules that instantiate all combinations of rules from
329 different lists using the notation of
330 <code>$VARIABLE[@&lt;iterator ID&gt;]</code>.
331 The following rule allows a virtual machine to
332 receive traffic on a set of ports, which are specified in DSTPORTS,
333 from the set of source IP address specified in SRCIPADDRESSES.
334 The rule generates all combinations of elements of the variable
335 DSTPORT with those of SRCIPADDRESSES by using two independent
336 iterators to access their elements.
337 </p>
338 <pre>
340 &lt;rule action='accept' direction='in' priority='500'&gt;
341 &lt;ip srcipaddr='$SRCIPADDRESSES[@1]' dstportstart='$DSTPORTS[@2]'/&gt;
342 &lt;/rule&gt;
344 </pre>
347 In an example we assign concrete values to SRCIPADDRESSES and DSTPORTS
348 </p>
349 <pre>
350 SRCIPADDRESSES = [ 10.0.0.1, 11.1.2.3 ]
351 DSTPORTS = [ 80, 8080 ]
352 </pre>
354 Accessing the variables using $SRCIPADDRESSES[@1] and $DSTPORTS[@2] would
355 then result in all combinations of addresses and ports being created:
356 </p>
357 <pre>
358 10.0.0.1, 80
359 10.0.0.1, 8080
360 11.1.2.3, 80
361 11.1.2.3, 8080
362 </pre>
364 Accessing the same variables using a single iterator, for example by using
365 the notation $SRCIPADDRESSES[@1] and $DSTPORTS[@1], would result in
366 parallel access to both lists and result in the following combinations:
367 </p>
368 <pre>
369 10.0.0.1, 80
370 11.1.2.3, 8080
371 </pre>
373 Further, the notation of $VARIABLE is short-hand for $VARIABLE[@0]. The
374 former notation always assumes the iterator with Id '0'.
375 </p>
377 <h3><a id="nwfelemsRulesAdvIPAddrDetection">Automatic IP address detection</a></h3>
379 The detection of IP addresses used on a virtual machine's interface
380 is automatically activated if the variable <code>IP</code> is referenced
381 but no value has been assigned to it.
382 <span class="since">Since 0.9.13</span>
383 the variable <code>CTRL_IP_LEARNING</code> can be used to specify
384 the IP address learning method to use. Valid values are <code>any</code>,
385 <code>dhcp</code>, or <code>none</code>.
386 <br/><br/>
387 The value <code>any</code> means that libvirt may use any packet to
388 determine the address in use by a virtual machine, which is the default
389 behavior if the variable <code>CTRL_IP_LEARNING</code> is not set. This method
390 will only detect a single IP address on an interface.
391 Once a VM's IP address has been detected, its IP network traffic
392 will be locked to that address, if for example IP address spoofing
393 is prevented by one of its filters. In that case the user of the VM
394 will not be able to change the IP address on the interface inside
395 the VM, which would be considered IP address spoofing.
396 When a VM is migrated to another host or resumed after a suspend operation,
397 the first packet sent by the VM will again determine the IP address it can
398 use on a particular interface.
399 <br/>
400 A value of <code>dhcp</code> specifies that libvirt should only honor DHCP
401 server-assigned addresses with valid leases. This method supports the detection
402 and usage of multiple IP address per interface.
403 When a VM is resumed after a suspend operation, still valid IP address leases
404 are applied to its filters. Otherwise the VM is expected to again use DHCP to obtain new
405 IP addresses. The migration of a VM to another physical host requires that
406 the VM again runs the DHCP protocol.
407 <br/><br/>
408 Use of <code>CTRL_IP_LEARNING=dhcp</code> (DHCP snooping) provides additional
409 anti-spoofing security, especially when combined with a filter allowing
410 only trusted DHCP servers to assign addresses. To enable this, set the
411 variable <code>DHCPSERVER</code> to the IP address of a valid DHCP server
412 and provide filters that use this variable to filter incoming DHCP responses.
413 <br/><br/>
414 When DHCP snooping is enabled and the DHCP lease expires,
415 the VM will no longer be able to use the IP address until it acquires a
416 new, valid lease from a DHCP server. If the VM is migrated, it must get
417 a new valid DHCP lease to use an IP address (e.g., by
418 bringing the VM interface down and up again).
419 <br/><br/>
420 Note that automatic DHCP detection listens to the DHCP traffic
421 the VM exchanges with the DHCP server of the infrastructure. To avoid
422 denial-of-service attacks on libvirt, the evaluation of those packets
423 is rate-limited, meaning that a VM sending an excessive number of DHCP
424 packets per second on an interface will not have all of those packets
425 evaluated and thus filters may not get adapted. Normal DHCP client
426 behavior is assumed to send a low number of DHCP packets per second.
427 Further, it is important to setup appropriate filters on all VMs in
428 the infrastructure to avoid them being able to send DHCP
429 packets. Therefore VMs must either be prevented from sending UDP and TCP
430 traffic from port 67 to port 68 or the <code>DHCPSERVER</code>
431 variable should be used on all VMs to restrict DHCP server messages to
432 only be allowed to originate from trusted DHCP servers. At the same
433 time anti-spoofing prevention must be enabled on all VMs in the subnet.
434 <br/><br/>
435 If <code>CTRL_IP_LEARNING</code> is set to <code>none</code>, libvirt does not do
436 IP address learning and referencing <code>IP</code> without assigning it an
437 explicit value is an error.
438 <br/><br/>
439 The following XML provides an example for the activation of IP address learning
440 using the DHCP snooping method:
441 </p>
442 <pre>
443 &lt;interface type='bridge'&gt;
444 &lt;source bridge='virbr0'/&gt;
445 &lt;filterref filter='clean-traffic'&gt;
446 &lt;parameter name='CTRL_IP_LEARNING' value='dhcp'/&gt;
447 &lt;/filterref&gt;
448 &lt;/interface&gt;
449 </pre>
451 <h3><a id="nwfelemsReservedVars">Reserved Variables</a></h3>
453 The following table lists reserved variables in use by libvirt.
454 </p>
455 <table class="top_table">
456 <tr>
457 <th> Variable Name </th>
458 <th> Semantics </th>
459 </tr>
460 <tr>
461 <td> MAC </td>
462 <td> The MAC address of the interface </td>
463 </tr>
464 <tr>
465 <td> IP </td>
466 <td> The list of IP addresses in use by an interface </td>
467 </tr>
468 <tr>
469 <td> IPV6 </td>
470 <td> Not currently implemented:
471 the list of IPV6 addresses in use by an interface </td>
472 </tr>
473 <tr>
474 <td> DHCPSERVER </td>
475 <td> The list of IP addresses of trusted DHCP servers</td>
476 </tr>
477 <tr>
478 <td> DHCPSERVERV6 </td>
479 <td> Not currently implemented:
480 The list of IPv6 addresses of trusted DHCP servers</td>
481 </tr>
482 <tr>
483 <td> CTRL_IP_LEARNING </td>
484 <td> The choice of the IP address detection mode </td>
485 </tr>
486 </table>
488 <h2><a id="nwfelems">Element and attribute overview</a></h2>
491 The root element required for all network filters is
492 named <code>filter</code> with two possible attributes. The
493 <code>name</code> attribute provides a unique name of the
494 given filter. The <code>chain</code> attribute is optional but
495 allows certain filters to be better organized for more efficient
496 processing by the firewall subsystem of the underlying host.
497 Currently the system only supports the chains <code>root,
498 ipv4, ipv6, arp and rarp</code>.
499 </p>
501 <h3><a id="nwfelemsRefs">References to other filters</a></h3>
503 Any filter may hold references to other filters. Individual
504 filters may be referenced multiple times in a filter tree but
505 references between filters must not introduce loops (directed
506 acyclic graph).
507 <br/><br/>
508 The following shows the XML of the <code>clean-traffic</code>
509 network filter referencing several other filters.
510 </p>
511 <pre>
512 &lt;filter name='clean-traffic'&gt;
513 &lt;uuid&gt;6ef53069-ba34-94a0-d33d-17751b9b8cb1&lt;/uuid&gt;
514 &lt;filterref filter='no-mac-spoofing'/&gt;
515 &lt;filterref filter='no-ip-spoofing'/&gt;
516 &lt;filterref filter='allow-incoming-ipv4'/&gt;
517 &lt;filterref filter='no-arp-spoofing'/&gt;
518 &lt;filterref filter='no-other-l2-traffic'/&gt;
519 &lt;filterref filter='qemu-announce-self'/&gt;
520 &lt;/filter&gt;
521 </pre>
524 To reference another filter, the XML node <code>filterref</code>
525 needs to be provided inside a <code>filter</code> node. This
526 node must have the attribute <code>filter</code> whose value contains
527 the name of the filter to be referenced.
528 <br/><br/>
529 New network filters can be defined at any time and
530 may contain references to network filters that are
531 not known to libvirt, yet. However, once a virtual machine
532 is started or a network interface
533 referencing a filter is to be hotplugged, all network filters
534 in the filter tree must be available. Otherwise the virtual
535 machine will not start or the network interface cannot be
536 attached.
537 </p>
539 <h3><a id="nwfelemsRules">Filter rules</a></h3>
541 The following XML shows a simple example of a network
542 traffic filter implementing a rule to drop traffic if
543 the IP address (provided through the value of the
544 variable IP) in an outgoing IP packet is not the expected
545 one, thus preventing IP address spoofing by the VM.
546 </p>
547 <pre>
548 &lt;filter name='no-ip-spoofing' chain='ipv4'&gt;
549 &lt;uuid&gt;fce8ae33-e69e-83bf-262e-30786c1f8072&lt;/uuid&gt;
550 &lt;rule action='drop' direction='out' priority='500'&gt;
551 &lt;ip match='no' srcipaddr='$IP'/&gt;
552 &lt;/rule&gt;
553 &lt;/filter&gt;
554 </pre>
557 A traffic filtering rule starts with the <code>rule</code>
558 node. This node may contain up to three attributes
559 </p>
560 <ul>
561 <li>
562 action -- mandatory; must either be <code>drop</code>
563 (matching the rule silently discards the packet with no
564 further analysis),
565 <code>reject</code> (matching the rule generates an ICMP
566 reject message with no further analysis) <span class="since">(since
567 0.9.0)</span>, <code>accept</code> (matching the rule accepts
568 the packet with no further analysis), <code>return</code>
569 (matching the rule passes this filter, but returns control to
570 the calling filter for further
571 analysis) <span class="since">(since 0.9.7)</span>,
572 or <code>continue</code> (matching the rule goes on to the next
573 rule for further analysis) <span class="since">(since
574 0.9.7)</span>.
575 </li>
576 <li>
577 direction -- mandatory; must either be <code>in</code>, <code>out</code> or
578 <code>inout</code> if the rule is for incoming,
579 outgoing or incoming-and-outgoing traffic
580 </li>
581 <li>
582 priority -- optional; the priority of the rule controls the order in
583 which the rule will be instantiated relative to other rules.
584 Rules with lower value will be instantiated before rules with higher
585 values.
586 Valid values are in the range of 0 to 1000.
587 <span class="since">Since 0.9.8</span> this has been extended to cover
588 the range of -1000 to 1000. If this attribute is not
589 provided, priority 500 will automatically be assigned.
590 <br/>
591 Note that filtering rules in the <code>root</code> chain are sorted
592 with filters connected to the <code>root</code> chain following
593 their priorities. This allows to interleave filtering rules with
594 access to filter chains.
595 (See also section on
596 <a href="#nwfconceptschainpriorities">
597 filtering chain priorities
598 </a>.)
599 </li>
600 <li>
601 statematch -- optional; possible values are '0' or 'false' to
602 turn the underlying connection state matching off; default is 'true'
603 <br/>
604 Also read the section on <a href="#nwfelemsRulesAdv">advanced configuration</a>
605 topics.
606 </li>
607 </ul>
609 The above example indicates that the traffic of type <code>ip</code>
610 will be associated with the chain 'ipv4' and the rule will have
611 priority 500. If for example another filter is referenced whose
612 traffic of type <code>ip</code> is also associated with the chain
613 'ipv4' then that filter's rules will be ordered relative to the priority
614 500 of the shown rule.
615 <br/><br/>
616 A rule may contain a single rule for filtering of traffic. The
617 above example shows that traffic of type <code>ip</code> is to be
618 filtered.
619 </p>
621 <h4><a id="nwfelemsRulesProto">Supported protocols</a></h4>
623 The following sections enumerate the list of protocols that
624 are supported by the network filtering subsystem. The
625 type of traffic a rule is supposed to filter on is provided
626 in the <code>rule</code> node as a nested node. Depending
627 on the traffic type a rule is filtering, the attributes are
628 different. The above example showed the single
629 attribute <code>srcipaddr</code> that is valid inside the
630 <code>ip</code> traffic filtering node. The following sections
631 show what attributes are valid and what type of data they are
632 expecting. The following datatypes are available:
633 </p>
634 <ul>
635 <li>UINT8 : 8 bit integer; range 0-255</li>
636 <li>UINT16: 16 bit integer; range 0-65535</li>
637 <li>MAC_ADDR: MAC address in dotted decimal format, i.e., 00:11:22:33:44:55</li>
638 <li>MAC_MASK: MAC address mask in MAC address format, i.e., FF:FF:FF:FC:00:00</li>
639 <li>IP_ADDR: IP address in dotted decimal format, i.e., 10.1.2.3</li>
640 <li>IP_MASK: IP address mask in either dotted decimal format (255.255.248.0) or CIDR mask (0-32)</li>
641 <li>IPV6_ADDR: IPv6 address in numbers format, i.e., FFFF::1</li>
642 <li>IPV6_MASK: IPv6 mask in numbers format (FFFF:FFFF:FC00::) or CIDR mask (0-128)</li>
643 <li>STRING: A string</li>
644 <li>BOOLEAN: 'true', 'yes', '1' or 'false', 'no', '0'</li>
645 <li>IPSETFLAGS: The source and destination flags of the ipset described
646 by up to 6 'src' or 'dst' elements selecting features from either
647 the source or destination part of the packet header; example:
648 src,src,dst. The number of 'selectors' to provide here depends
649 on the type of ipset that is referenced.</li>
650 </ul>
652 <br/><br/>
653 Every attribute except for those of type IP_MASK or IPV6_MASK can
654 be negated using the <code>match</code>
655 attribute with value <code>no</code>. Multiple negated attributes
656 may be grouped together. The following
657 XML fragment shows such an example using abstract attributes.
658 </p>
659 <pre>
660 [...]
661 &lt;rule action='drop' direction='in'&gt;
662 &lt;protocol match='no' attribute1='value1' attribute2='value2'/&gt;
663 &lt;protocol attribute3='value3'/&gt;
664 &lt;/rule&gt;
665 [...]
666 </pre>
668 Rules perform a logical AND evaluation on all values of the given
669 protocol attributes. Thus, if a single attribute's value does not match
670 the one given in the rule, the whole rule will be skipped during
671 evaluation. Therefore, in the above example incoming traffic
672 will only be dropped if
673 the protocol property attribute1 does not match value1 AND
674 the protocol property attribute2 does not match value2 AND
675 the protocol property attribute3 matches value3.
676 <br/><br/>
677 </p>
680 <h5><a id="nwfelemsRulesProtoMAC">MAC (Ethernet)</a></h5>
682 Protocol ID: <code>mac</code>
683 <br/>
684 Note: Rules of this type should go into the <code>root</code> chain.
685 </p>
686 <table class="top_table">
687 <tr>
688 <th> Attribute </th>
689 <th> Datatype </th>
690 <th> Semantics </th>
691 </tr>
692 <tr>
693 <td>srcmacaddr</td>
694 <td>MAC_ADDR</td>
695 <td>MAC address of sender</td>
696 </tr>
697 <tr>
698 <td>srcmacmask</td>
699 <td>MAC_MASK</td>
700 <td>Mask applied to MAC address of sender</td>
701 </tr>
702 <tr>
703 <td>dstmacaddr</td>
704 <td>MAC_ADDR</td>
705 <td>MAC address of destination</td>
706 </tr>
707 <tr>
708 <td>dstmacmask</td>
709 <td>MAC_MASK</td>
710 <td>Mask applied to MAC address of destination</td>
711 </tr>
712 <tr>
713 <td>protocolid</td>
714 <td>UINT16 (0x600-0xffff), STRING</td>
715 <td>Layer 3 protocol ID</td>
716 </tr>
717 <tr>
718 <td>comment <span class="since">(Since 0.8.5)</span></td>
719 <td>STRING</td>
720 <td>text with max. 256 characters</td>
721 </tr>
722 </table>
724 Valid Strings for <code>protocolid</code> are: arp, rarp, ipv4, ipv6
725 </p>
726 <pre>
727 [...]
728 &lt;mac match='no' srcmacaddr='$MAC'/&gt;
729 [...]
730 </pre>
732 <h5><a id="nwfelemsRulesProtoVLAN">VLAN (802.1Q)</a>
733 <span class="since">(Since 0.9.8)</span>
734 </h5>
736 Protocol ID: <code>vlan</code>
737 <br/>
738 Note: Rules of this type should go either into the <code>root</code> or
739 <code>vlan</code> chain.
740 </p>
741 <table class="top_table">
742 <tr>
743 <th> Attribute </th>
744 <th> Datatype </th>
745 <th> Semantics </th>
746 </tr>
747 <tr>
748 <td>srcmacaddr</td>
749 <td>MAC_ADDR</td>
750 <td>MAC address of sender</td>
751 </tr>
752 <tr>
753 <td>srcmacmask</td>
754 <td>MAC_MASK</td>
755 <td>Mask applied to MAC address of sender</td>
756 </tr>
757 <tr>
758 <td>dstmacaddr</td>
759 <td>MAC_ADDR</td>
760 <td>MAC address of destination</td>
761 </tr>
762 <tr>
763 <td>dstmacmask</td>
764 <td>MAC_MASK</td>
765 <td>Mask applied to MAC address of destination</td>
766 </tr>
767 <tr>
768 <td>vlanid</td>
769 <td>UINT16 (0x0-0xfff, 0 - 4095)</td>
770 <td>VLAN ID</td>
771 </tr>
772 <tr>
773 <td>encap-protocol</td>
774 <td>UINT16 (0x03c-0xfff), String</td>
775 <td>Encapsulated layer 3 protocol ID</td>
776 </tr>
777 <tr>
778 <td>comment </td>
779 <td>STRING</td>
780 <td>text with max. 256 characters</td>
781 </tr>
782 </table>
784 Valid Strings for <code>encap-protocol</code> are: arp, ipv4, ipv6
785 </p>
787 <h5><a id="nwfelemsRulesProtoSTP">STP (Spanning Tree Protocol)</a>
788 <span class="since">(Since 0.9.8)</span>
789 </h5>
791 Protocol ID: <code>stp</code>
792 <br/>
793 Note: Rules of this type should go either into the <code>root</code> or
794 <code>stp</code> chain.
795 </p>
796 <table class="top_table">
797 <tr>
798 <th> Attribute </th>
799 <th> Datatype </th>
800 <th> Semantics </th>
801 </tr>
802 <tr>
803 <td>srcmacaddr</td>
804 <td>MAC_ADDR</td>
805 <td>MAC address of sender</td>
806 </tr>
807 <tr>
808 <td>srcmacmask</td>
809 <td>MAC_MASK</td>
810 <td>Mask applied to MAC address of sender</td>
811 </tr>
812 <tr>
813 <td>type</td>
814 <td>UINT8</td>
815 <td>Bridge Protocol Data Unit (BPDU) type</td>
816 </tr>
817 <tr>
818 <td>flags</td>
819 <td>UINT8</td>
820 <td>BPDU flag</td>
821 </tr>
822 <tr>
823 <td>root-priority</td>
824 <td>UINT16</td>
825 <td>Root priority (range start)</td>
826 </tr>
827 <tr>
828 <td>root-priority-hi</td>
829 <td>UINT16</td>
830 <td>Root priority range end</td>
831 </tr>
832 <tr>
833 <td>root-address</td>
834 <td>MAC_ADDRESS</td>
835 <td>Root MAC address</td>
836 </tr>
837 <tr>
838 <td>root-address-mask</td>
839 <td>MAC_MASK</td>
840 <td>Root MAC address mask</td>
841 </tr>
842 <tr>
843 <td>root-cost</td>
844 <td>UINT32</td>
845 <td>Root path cost (range start)</td>
846 </tr>
847 <tr>
848 <td>root-cost-hi</td>
849 <td>UINT32</td>
850 <td>Root path cost range end</td>
851 </tr>
852 <tr>
853 <td>sender-priority</td>
854 <td>UINT16</td>
855 <td>Sender priority (range start)</td>
856 </tr>
857 <tr>
858 <td>sender-priority-hi</td>
859 <td>UINT16</td>
860 <td>Sender priority range end</td>
861 </tr>
862 <tr>
863 <td>sender-address</td>
864 <td>MAC_ADDRESS</td>
865 <td>BPDU sender MAC address</td>
866 </tr>
867 <tr>
868 <td>sender-address-mask</td>
869 <td>MAC_MASK</td>
870 <td>BPDU sender MAC address mask</td>
871 </tr>
872 <tr>
873 <td>port</td>
874 <td>UINT16</td>
875 <td>Port identifier (range start)</td>
876 </tr>
877 <tr>
878 <td>port_hi</td>
879 <td>UINT16</td>
880 <td>Port identifier range end</td>
881 </tr>
882 <tr>
883 <td>msg-age</td>
884 <td>UINT16</td>
885 <td>Message age timer (range start)</td>
886 </tr>
887 <tr>
888 <td>msg-age-hi</td>
889 <td>UINT16</td>
890 <td>Message age timer range end</td>
891 </tr>
892 <tr>
893 <td>max-age</td>
894 <td>UINT16</td>
895 <td>Maximum age timer (range start)</td>
896 </tr>
897 <tr>
898 <td>max-age-hi</td>
899 <td>UINT16</td>
900 <td>Maximum age timer range end</td>
901 </tr>
902 <tr>
903 <td>hello-time</td>
904 <td>UINT16</td>
905 <td>Hello time timer (range start)</td>
906 </tr>
907 <tr>
908 <td>hello-time-hi</td>
909 <td>UINT16</td>
910 <td>Hello time timer range end</td>
911 </tr>
912 <tr>
913 <td>forward-delay</td>
914 <td>UINT16</td>
915 <td>Forward delay (range start)</td>
916 </tr>
917 <tr>
918 <td>forward-delay-hi</td>
919 <td>UINT16</td>
920 <td>Forward delay range end</td>
921 </tr>
922 <tr>
923 <td>comment</td>
924 <td>STRING</td>
925 <td>text with max. 256 characters</td>
926 </tr>
927 </table>
929 <h5><a id="nwfelemsRulesProtoARP">ARP/RARP</a></h5>
931 Protocol ID: <code>arp</code> or <code>rarp</code>
932 <br/>
933 Note: Rules of this type should either go into the
934 <code>root</code> or <code>arp/rarp</code> chain.
935 </p>
936 <table class="top_table">
937 <tr>
938 <th> Attribute </th>
939 <th> Datatype </th>
940 <th> Semantics </th>
941 </tr>
942 <tr>
943 <td>srcmacaddr</td>
944 <td>MAC_ADDR</td>
945 <td>MAC address of sender</td>
946 </tr>
947 <tr>
948 <td>srcmacmask</td>
949 <td>MAC_MASK</td>
950 <td>Mask applied to MAC address of sender</td>
951 </tr>
952 <tr>
953 <td>dstmacaddr</td>
954 <td>MAC_ADDR</td>
955 <td>MAC address of destination</td>
956 </tr>
957 <tr>
958 <td>dstmacmask</td>
959 <td>MAC_MASK</td>
960 <td>Mask applied to MAC address of destination</td>
961 </tr>
962 <tr>
963 <td>hwtype</td>
964 <td>UINT16</td>
965 <td>Hardware type</td>
966 </tr>
967 <tr>
968 <td>protocoltype</td>
969 <td>UINT16</td>
970 <td>Protocol type</td>
971 </tr>
972 <tr>
973 <td>opcode</td>
974 <td>UINT16, STRING</td>
975 <td>Opcode</td>
976 </tr>
977 <tr>
978 <td>arpsrcmacaddr</td>
979 <td>MAC_ADDR</td>
980 <td>Source MAC address in ARP/RARP packet</td>
981 </tr>
982 <tr>
983 <td>arpdstmacaddr</td>
984 <td>MAC_ADDR</td>
985 <td>Destination MAC address in ARP/RARP packet</td>
986 </tr>
987 <tr>
988 <td>arpsrcipaddr</td>
989 <td>IP_ADDR</td>
990 <td>Source IP address in ARP/RARP packet</td>
991 </tr>
992 <tr>
993 <td>arpsrcipmask <span class="since">(Since 1.2.3)</span></td>
994 <td>IP_MASK</td>
995 <td>Source IP mask</td>
996 </tr>
997 <tr>
998 <td>arpdstipaddr</td>
999 <td>IP_ADDR</td>
1000 <td>Destination IP address in ARP/RARP packet</td>
1001 </tr>
1002 <tr>
1003 <td>arpdstipmask <span class="since">(Since 1.2.3)</span></td>
1004 <td>IP_MASK</td>
1005 <td>Destination IP mask</td>
1006 </tr>
1007 <tr>
1008 <td>comment <span class="since">(Since 0.8.5)</span></td>
1009 <td>STRING</td>
1010 <td>text with max. 256 characters</td>
1011 </tr>
1012 <tr>
1013 <td>gratuitous <span class="since">(Since 0.9.2)</span></td>
1014 <td>BOOLEAN</td>
1015 <td>boolean indicating whether to check for gratuitous ARP packet</td>
1016 </tr>
1017 </table>
1019 Valid strings for the <code>Opcode</code> field are:
1020 Request, Reply, Request_Reverse, Reply_Reverse, DRARP_Request,
1021 DRARP_Reply, DRARP_Error, InARP_Request, ARP_NAK
1022 <br/><br/>
1023 </p>
1025 <h5><a id="nwfelemsRulesProtoIP">IPv4</a></h5>
1027 Protocol ID: <code>ip</code>
1028 <br/>
1029 Note: Rules of this type should either go into the
1030 <code>root</code> or <code>ipv4</code> chain.
1031 </p>
1032 <table class="top_table">
1033 <tr>
1034 <th> Attribute </th>
1035 <th> Datatype </th>
1036 <th> Semantics </th>
1037 </tr>
1038 <tr>
1039 <td>srcmacaddr</td>
1040 <td>MAC_ADDR</td>
1041 <td>MAC address of sender</td>
1042 </tr>
1043 <tr>
1044 <td>srcmacmask</td>
1045 <td>MAC_MASK</td>
1046 <td>Mask applied to MAC address of sender</td>
1047 </tr>
1048 <tr>
1049 <td>dstmacaddr</td>
1050 <td>MAC_ADDR</td>
1051 <td>MAC address of destination</td>
1052 </tr>
1053 <tr>
1054 <td>dstmacmask</td>
1055 <td>MAC_MASK</td>
1056 <td>Mask applied to MAC address of destination</td>
1057 </tr>
1058 <tr>
1059 <td>srcipaddr</td>
1060 <td>IP_ADDR</td>
1061 <td>Source IP address</td>
1062 </tr>
1063 <tr>
1064 <td>srcipmask</td>
1065 <td>IP_MASK</td>
1066 <td>Mask applied to source IP address</td>
1067 </tr>
1068 <tr>
1069 <td>dstipaddr</td>
1070 <td>IP_ADDR</td>
1071 <td>Destination IP address</td>
1072 </tr>
1073 <tr>
1074 <td>dstipmask</td>
1075 <td>IP_MASK</td>
1076 <td>Mask applied to destination IP address</td>
1077 </tr>
1078 <tr>
1079 <td>protocol</td>
1080 <td>UINT8, STRING</td>
1081 <td>Layer 4 protocol identifier</td>
1082 </tr>
1083 <tr>
1084 <td>srcportstart</td>
1085 <td>UINT16</td>
1086 <td>Start of range of valid source ports; requires <code>protocol</code></td>
1087 </tr>
1088 <tr>
1089 <td>srcportend</td>
1090 <td>UINT16</td>
1091 <td>End of range of valid source ports; requires <code>protocol</code></td>
1092 </tr>
1093 <tr>
1094 <td>dstportstart</td>
1095 <td>UINT16</td>
1096 <td>Start of range of valid destination ports; requires <code>protocol</code></td>
1097 </tr>
1098 <tr>
1099 <td>dstportend</td>
1100 <td>UINT16</td>
1101 <td>End of range of valid destination ports; requires <code>protocol</code></td>
1102 </tr>
1103 <tr>
1104 <td>dscp</td>
1105 <td>UINT8 (0x0-0x3f, 0 - 63)</td>
1106 <td>Differentiated Services Code Point</td>
1107 </tr>
1108 <tr>
1109 <td>comment <span class="since">(Since 0.8.5)</span></td>
1110 <td>STRING</td>
1111 <td>text with max. 256 characters</td>
1112 </tr>
1113 </table>
1115 Valid strings for <code>protocol</code> are:
1116 tcp, udp, udplite, esp, ah, icmp, igmp, sctp
1117 <br/><br/>
1118 </p>
1121 <h5><a id="nwfelemsRulesProtoIPv6">IPv6</a></h5>
1123 Protocol ID: <code>ipv6</code>
1124 <br/>
1125 Note: Rules of this type should either go into the
1126 <code>root</code> or <code>ipv6</code> chain.
1127 </p>
1128 <table class="top_table">
1129 <tr>
1130 <th> Attribute </th>
1131 <th> Datatype </th>
1132 <th> Semantics </th>
1133 </tr>
1134 <tr>
1135 <td>srcmacaddr</td>
1136 <td>MAC_ADDR</td>
1137 <td>MAC address of sender</td>
1138 </tr>
1139 <tr>
1140 <td>srcmacmask</td>
1141 <td>MAC_MASK</td>
1142 <td>Mask applied to MAC address of sender</td>
1143 </tr>
1144 <tr>
1145 <td>dstmacaddr</td>
1146 <td>MAC_ADDR</td>
1147 <td>MAC address of destination</td>
1148 </tr>
1149 <tr>
1150 <td>dstmacmask</td>
1151 <td>MAC_MASK</td>
1152 <td>Mask applied to MAC address of destination</td>
1153 </tr>
1154 <tr>
1155 <td>srcipaddr</td>
1156 <td>IPV6_ADDR</td>
1157 <td>Source IPv6 address</td>
1158 </tr>
1159 <tr>
1160 <td>srcipmask</td>
1161 <td>IPV6_MASK</td>
1162 <td>Mask applied to source IPv6 address</td>
1163 </tr>
1164 <tr>
1165 <td>dstipaddr</td>
1166 <td>IPV6_ADDR</td>
1167 <td>Destination IPv6 address</td>
1168 </tr>
1169 <tr>
1170 <td>dstipmask</td>
1171 <td>IPV6_MASK</td>
1172 <td>Mask applied to destination IPv6 address</td>
1173 </tr>
1174 <tr>
1175 <td>protocol</td>
1176 <td>UINT8</td>
1177 <td>Layer 4 protocol identifier</td>
1178 </tr>
1179 <tr>
1180 <td>srcportstart</td>
1181 <td>UINT16</td>
1182 <td>Start of range of valid source ports; requires <code>protocol</code></td>
1183 </tr>
1184 <tr>
1185 <td>srcportend</td>
1186 <td>UINT16</td>
1187 <td>End of range of valid source ports; requires <code>protocol</code></td>
1188 </tr>
1189 <tr>
1190 <td>dstportstart</td>
1191 <td>UINT16</td>
1192 <td>Start of range of valid destination ports; requires <code>protocol</code></td>
1193 </tr>
1194 <tr>
1195 <td>dstportend</td>
1196 <td>UINT16</td>
1197 <td>End of range of valid destination ports; requires <code>protocol</code></td>
1198 </tr>
1199 <tr>
1200 <td>type<span class="since">(Since 1.2.12)</span></td>
1201 <td>UINT8</td>
1202 <td>ICMPv6 type; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
1203 </tr>
1204 <tr>
1205 <td>typeend<span class="since">(Since 1.2.12)</span></td>
1206 <td>UINT8</td>
1207 <td>ICMPv6 type end of range; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
1208 </tr>
1209 <tr>
1210 <td>code<span class="since">(Since 1.2.12)</span></td>
1211 <td>UINT8</td>
1212 <td>ICMPv6 code; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
1213 </tr>
1214 <tr>
1215 <td>code<span class="since">(Since 1.2.12)</span></td>
1216 <td>UINT8</td>
1217 <td>ICMPv6 code end of range; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
1218 </tr>
1219 <tr>
1220 <td>comment <span class="since">(Since 0.8.5)</span></td>
1221 <td>STRING</td>
1222 <td>text with max. 256 characters</td>
1223 </tr>
1224 </table>
1226 Valid strings for <code>protocol</code> are:
1227 tcp, udp, udplite, esp, ah, icmpv6, sctp
1228 <br/><br/>
1229 </p>
1231 <h5><a id="nwfelemsRulesProtoTCP-ipv4">TCP/UDP/SCTP</a></h5>
1233 Protocol ID: <code>tcp</code>, <code>udp</code>, <code>sctp</code>
1234 <br/>
1235 Note: The chain parameter is ignored for this type of traffic
1236 and should either be omitted or set to <code>root</code>.
1237 </p>
1238 <table class="top_table">
1239 <tr>
1240 <th> Attribute </th>
1241 <th> Datatype </th>
1242 <th> Semantics </th>
1243 </tr>
1244 <tr>
1245 <td>srcmacaddr</td>
1246 <td>MAC_ADDR</td>
1247 <td>MAC address of sender</td>
1248 </tr>
1249 <tr>
1250 <td>srcipaddr</td>
1251 <td>IP_ADDR</td>
1252 <td>Source IP address</td>
1253 </tr>
1254 <tr>
1255 <td>srcipmask</td>
1256 <td>IP_MASK</td>
1257 <td>Mask applied to source IP address</td>
1258 </tr>
1259 <tr>
1260 <td>dstipaddr</td>
1261 <td>IP_ADDR</td>
1262 <td>Destination IP address</td>
1263 </tr>
1264 <tr>
1265 <td>dstipmask</td>
1266 <td>IP_MASK</td>
1267 <td>Mask applied to destination IP address</td>
1268 </tr>
1270 <tr>
1271 <td>srcipfrom</td>
1272 <td>IP_ADDR</td>
1273 <td>Start of range of source IP address</td>
1274 </tr>
1275 <tr>
1276 <td>srcipto</td>
1277 <td>IP_ADDR</td>
1278 <td>End of range of source IP address</td>
1279 </tr>
1280 <tr>
1281 <td>dstipfrom</td>
1282 <td>IP_ADDR</td>
1283 <td>Start of range of destination IP address</td>
1284 </tr>
1285 <tr>
1286 <td>dstipto</td>
1287 <td>IP_ADDR</td>
1288 <td>End of range of destination IP address</td>
1289 </tr>
1291 <tr>
1292 <td>srcportstart</td>
1293 <td>UINT16</td>
1294 <td>Start of range of valid source ports</td>
1295 </tr>
1296 <tr>
1297 <td>srcportend</td>
1298 <td>UINT16</td>
1299 <td>End of range of valid source ports</td>
1300 </tr>
1301 <tr>
1302 <td>dstportstart</td>
1303 <td>UINT16</td>
1304 <td>Start of range of valid destination ports</td>
1305 </tr>
1306 <tr>
1307 <td>dstportend</td>
1308 <td>UINT16</td>
1309 <td>End of range of valid destination ports</td>
1310 </tr>
1311 <tr>
1312 <td>dscp</td>
1313 <td>UINT8 (0x0-0x3f, 0 - 63)</td>
1314 <td>Differentiated Services Code Point</td>
1315 </tr>
1316 <tr>
1317 <td>comment <span class="since">(Since 0.8.5)</span></td>
1318 <td>STRING</td>
1319 <td>text with max. 256 characters</td>
1320 </tr>
1321 <tr>
1322 <td>state <span class="since">(Since 0.8.5)</span></td>
1323 <td>STRING</td>
1324 <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
1325 </tr>
1326 <tr>
1327 <td>flags <span class="since">(Since 0.9.1)</span></td>
1328 <td>STRING</td>
1329 <td>TCP-only: format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL</td>
1330 </tr>
1331 <tr>
1332 <td>ipset <span class="since">(Since 0.9.13)</span></td>
1333 <td>STRING</td>
1334 <td>The name of an IPSet managed outside of libvirt</td>
1335 </tr>
1336 <tr>
1337 <td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
1338 <td>IPSETFLAGS</td>
1339 <td>flags for the IPSet; requires ipset attribute</td>
1340 </tr>
1341 </table>
1343 <br/><br/>
1344 </p>
1347 <h5><a id="nwfelemsRulesProtoICMP">ICMP</a></h5>
1349 Protocol ID: <code>icmp</code>
1350 <br/>
1351 Note: The chain parameter is ignored for this type of traffic
1352 and should either be omitted or set to <code>root</code>.
1353 </p>
1354 <table class="top_table">
1355 <tr>
1356 <th> Attribute </th>
1357 <th> Datatype </th>
1358 <th> Semantics </th>
1359 </tr>
1360 <tr>
1361 <td>srcmacaddr</td>
1362 <td>MAC_ADDR</td>
1363 <td>MAC address of sender</td>
1364 </tr>
1365 <tr>
1366 <td>srcmacmask</td>
1367 <td>MAC_MASK</td>
1368 <td>Mask applied to MAC address of sender</td>
1369 </tr>
1370 <tr>
1371 <td>dstmacaddr</td>
1372 <td>MAC_ADDR</td>
1373 <td>MAC address of destination</td>
1374 </tr>
1375 <tr>
1376 <td>dstmacmask</td>
1377 <td>MAC_MASK</td>
1378 <td>Mask applied to MAC address of destination</td>
1379 </tr>
1380 <tr>
1381 <td>srcipaddr</td>
1382 <td>IP_ADDR</td>
1383 <td>Source IP address</td>
1384 </tr>
1385 <tr>
1386 <td>srcipmask</td>
1387 <td>IP_MASK</td>
1388 <td>Mask applied to source IP address</td>
1389 </tr>
1390 <tr>
1391 <td>dstipaddr</td>
1392 <td>IP_ADDR</td>
1393 <td>Destination IP address</td>
1394 </tr>
1395 <tr>
1396 <td>dstipmask</td>
1397 <td>IP_MASK</td>
1398 <td>Mask applied to destination IP address</td>
1399 </tr>
1401 <tr>
1402 <td>srcipfrom</td>
1403 <td>IP_ADDR</td>
1404 <td>Start of range of source IP address</td>
1405 </tr>
1406 <tr>
1407 <td>srcipto</td>
1408 <td>IP_ADDR</td>
1409 <td>End of range of source IP address</td>
1410 </tr>
1411 <tr>
1412 <td>dstipfrom</td>
1413 <td>IP_ADDR</td>
1414 <td>Start of range of destination IP address</td>
1415 </tr>
1416 <tr>
1417 <td>dstipto</td>
1418 <td>IP_ADDR</td>
1419 <td>End of range of destination IP address</td>
1420 </tr>
1421 <tr>
1422 <td>type</td>
1423 <td>UINT16</td>
1424 <td>ICMP type</td>
1425 </tr>
1426 <tr>
1427 <td>code</td>
1428 <td>UINT16</td>
1429 <td>ICMP code</td>
1430 </tr>
1431 <tr>
1432 <td>dscp</td>
1433 <td>UINT8 (0x0-0x3f, 0 - 63)</td>
1434 <td>Differentiated Services Code Point</td>
1435 </tr>
1436 <tr>
1437 <td>comment <span class="since">(Since 0.8.5)</span></td>
1438 <td>STRING</td>
1439 <td>text with max. 256 characters</td>
1440 </tr>
1441 <tr>
1442 <td>state <span class="since">(Since 0.8.5)</span></td>
1443 <td>STRING</td>
1444 <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
1445 </tr>
1446 <tr>
1447 <td>ipset <span class="since">(Since 0.9.13)</span></td>
1448 <td>STRING</td>
1449 <td>The name of an IPSet managed outside of libvirt</td>
1450 </tr>
1451 <tr>
1452 <td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
1453 <td>IPSETFLAGS</td>
1454 <td>flags for the IPSet; requires ipset attribute</td>
1455 </tr>
1456 </table>
1458 <br/><br/>
1459 </p>
1461 <h5><a id="nwfelemsRulesProtoMisc">IGMP, ESP, AH, UDPLITE, 'ALL'</a></h5>
1463 Protocol ID: <code>igmp</code>, <code>esp</code>, <code>ah</code>, <code>udplite</code>, <code>all</code>
1464 <br/>
1465 Note: The chain parameter is ignored for this type of traffic
1466 and should either be omitted or set to <code>root</code>.
1467 </p>
1468 <table class="top_table">
1469 <tr>
1470 <th> Attribute </th>
1471 <th> Datatype </th>
1472 <th> Semantics </th>
1473 </tr>
1474 <tr>
1475 <td>srcmacaddr</td>
1476 <td>MAC_ADDR</td>
1477 <td>MAC address of sender</td>
1478 </tr>
1479 <tr>
1480 <td>srcmacmask</td>
1481 <td>MAC_MASK</td>
1482 <td>Mask applied to MAC address of sender</td>
1483 </tr>
1484 <tr>
1485 <td>dstmacaddr</td>
1486 <td>MAC_ADDR</td>
1487 <td>MAC address of destination</td>
1488 </tr>
1489 <tr>
1490 <td>dstmacmask</td>
1491 <td>MAC_MASK</td>
1492 <td>Mask applied to MAC address of destination</td>
1493 </tr>
1494 <tr>
1495 <td>srcipaddr</td>
1496 <td>IP_ADDR</td>
1497 <td>Source IP address</td>
1498 </tr>
1499 <tr>
1500 <td>srcipmask</td>
1501 <td>IP_MASK</td>
1502 <td>Mask applied to source IP address</td>
1503 </tr>
1504 <tr>
1505 <td>dstipaddr</td>
1506 <td>IP_ADDR</td>
1507 <td>Destination IP address</td>
1508 </tr>
1509 <tr>
1510 <td>dstipmask</td>
1511 <td>IP_MASK</td>
1512 <td>Mask applied to destination IP address</td>
1513 </tr>
1515 <tr>
1516 <td>srcipfrom</td>
1517 <td>IP_ADDR</td>
1518 <td>Start of range of source IP address</td>
1519 </tr>
1520 <tr>
1521 <td>srcipto</td>
1522 <td>IP_ADDR</td>
1523 <td>End of range of source IP address</td>
1524 </tr>
1525 <tr>
1526 <td>dstipfrom</td>
1527 <td>IP_ADDR</td>
1528 <td>Start of range of destination IP address</td>
1529 </tr>
1530 <tr>
1531 <td>dstipto</td>
1532 <td>IP_ADDR</td>
1533 <td>End of range of destination IP address</td>
1534 </tr>
1535 <tr>
1536 <td>dscp</td>
1537 <td>UINT8 (0x0-0x3f, 0 - 63)</td>
1538 <td>Differentiated Services Code Point</td>
1539 </tr>
1540 <tr>
1541 <td>comment <span class="since">(Since 0.8.5)</span></td>
1542 <td>STRING</td>
1543 <td>text with max. 256 characters</td>
1544 </tr>
1545 <tr>
1546 <td>state <span class="since">(Since 0.8.5)</span></td>
1547 <td>STRING</td>
1548 <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
1549 </tr>
1550 <tr>
1551 <td>ipset <span class="since">(Since 0.9.13)</span></td>
1552 <td>STRING</td>
1553 <td>The name of an IPSet managed outside of libvirt</td>
1554 </tr>
1555 <tr>
1556 <td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
1557 <td>IPSETFLAGS</td>
1558 <td>flags for the IPSet; requires ipset attribute</td>
1559 </tr>
1560 </table>
1562 <br/><br/>
1563 </p>
1566 <h5><a id="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over IPV6</a></h5>
1568 Protocol ID: <code>tcp-ipv6</code>, <code>udp-ipv6</code>, <code>sctp-ipv6</code>
1569 <br/>
1570 Note: The chain parameter is ignored for this type of traffic
1571 and should either be omitted or set to <code>root</code>.
1572 </p>
1573 <table class="top_table">
1574 <tr>
1575 <th> Attribute </th>
1576 <th> Datatype </th>
1577 <th> Semantics </th>
1578 </tr>
1579 <tr>
1580 <td>srcmacaddr</td>
1581 <td>MAC_ADDR</td>
1582 <td>MAC address of sender</td>
1583 </tr>
1584 <tr>
1585 <td>srcipaddr</td>
1586 <td>IPV6_ADDR</td>
1587 <td>Source IP address</td>
1588 </tr>
1589 <tr>
1590 <td>srcipmask</td>
1591 <td>IPV6_MASK</td>
1592 <td>Mask applied to source IP address</td>
1593 </tr>
1594 <tr>
1595 <td>dstipaddr</td>
1596 <td>IPV6_ADDR</td>
1597 <td>Destination IP address</td>
1598 </tr>
1599 <tr>
1600 <td>dstipmask</td>
1601 <td>IPV6_MASK</td>
1602 <td>Mask applied to destination IP address</td>
1603 </tr>
1605 <tr>
1606 <td>srcipfrom</td>
1607 <td>IPV6_ADDR</td>
1608 <td>Start of range of source IP address</td>
1609 </tr>
1610 <tr>
1611 <td>srcipto</td>
1612 <td>IPV6_ADDR</td>
1613 <td>End of range of source IP address</td>
1614 </tr>
1615 <tr>
1616 <td>dstipfrom</td>
1617 <td>IPV6_ADDR</td>
1618 <td>Start of range of destination IP address</td>
1619 </tr>
1620 <tr>
1621 <td>dstipto</td>
1622 <td>IPV6_ADDR</td>
1623 <td>End of range of destination IP address</td>
1624 </tr>
1626 <tr>
1627 <td>srcportstart</td>
1628 <td>UINT16</td>
1629 <td>Start of range of valid source ports</td>
1630 </tr>
1631 <tr>
1632 <td>srcportend</td>
1633 <td>UINT16</td>
1634 <td>End of range of valid source ports</td>
1635 </tr>
1636 <tr>
1637 <td>dstportstart</td>
1638 <td>UINT16</td>
1639 <td>Start of range of valid destination ports</td>
1640 </tr>
1641 <tr>
1642 <td>dstportend</td>
1643 <td>UINT16</td>
1644 <td>End of range of valid destination ports</td>
1645 </tr>
1646 <tr>
1647 <td>dscp</td>
1648 <td>UINT8 (0x0-0x3f, 0 - 63)</td>
1649 <td>Differentiated Services Code Point</td>
1650 </tr>
1651 <tr>
1652 <td>comment <span class="since">(Since 0.8.5)</span></td>
1653 <td>STRING</td>
1654 <td>text with max. 256 characters</td>
1655 </tr>
1656 <tr>
1657 <td>state <span class="since">(Since 0.8.5)</span></td>
1658 <td>STRING</td>
1659 <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
1660 </tr>
1661 <tr>
1662 <td>flags <span class="since">(Since 0.9.1)</span></td>
1663 <td>STRING</td>
1664 <td>TCP-only: format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL</td>
1665 </tr>
1666 <tr>
1667 <td>ipset <span class="since">(Since 0.9.13)</span></td>
1668 <td>STRING</td>
1669 <td>The name of an IPSet managed outside of libvirt</td>
1670 </tr>
1671 <tr>
1672 <td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
1673 <td>IPSETFLAGS</td>
1674 <td>flags for the IPSet; requires ipset attribute</td>
1675 </tr>
1676 </table>
1678 <br/><br/>
1679 </p>
1682 <h5><a id="nwfelemsRulesProtoICMPv6">ICMPv6</a></h5>
1684 Protocol ID: <code>icmpv6</code>
1685 <br/>
1686 Note: The chain parameter is ignored for this type of traffic
1687 and should either be omitted or set to <code>root</code>.
1688 </p>
1689 <table class="top_table">
1690 <tr>
1691 <th> Attribute </th>
1692 <th> Datatype </th>
1693 <th> Semantics </th>
1694 </tr>
1695 <tr>
1696 <td>srcmacaddr</td>
1697 <td>MAC_ADDR</td>
1698 <td>MAC address of sender</td>
1699 </tr>
1700 <tr>
1701 <td>srcipaddr</td>
1702 <td>IPV6_ADDR</td>
1703 <td>Source IPv6 address</td>
1704 </tr>
1705 <tr>
1706 <td>srcipmask</td>
1707 <td>IPV6_MASK</td>
1708 <td>Mask applied to source IPv6 address</td>
1709 </tr>
1710 <tr>
1711 <td>dstipaddr</td>
1712 <td>IPV6_ADDR</td>
1713 <td>Destination IPv6 address</td>
1714 </tr>
1715 <tr>
1716 <td>dstipmask</td>
1717 <td>IPV6_MASK</td>
1718 <td>Mask applied to destination IPv6 address</td>
1719 </tr>
1721 <tr>
1722 <td>srcipfrom</td>
1723 <td>IPV6_ADDR</td>
1724 <td>Start of range of source IP address</td>
1725 </tr>
1726 <tr>
1727 <td>srcipto</td>
1728 <td>IPV6_ADDR</td>
1729 <td>End of range of source IP address</td>
1730 </tr>
1731 <tr>
1732 <td>dstipfrom</td>
1733 <td>IPV6_ADDR</td>
1734 <td>Start of range of destination IP address</td>
1735 </tr>
1736 <tr>
1737 <td>dstipto</td>
1738 <td>IPV6_ADDR</td>
1739 <td>End of range of destination IP address</td>
1740 </tr>
1742 <tr>
1743 <td>type</td>
1744 <td>UINT16</td>
1745 <td>ICMPv6 type</td>
1746 </tr>
1747 <tr>
1748 <td>code</td>
1749 <td>UINT16</td>
1750 <td>ICMPv6 code</td>
1751 </tr>
1752 <tr>
1753 <td>dscp</td>
1754 <td>UINT8 (0x0-0x3f, 0 - 63)</td>
1755 <td>Differentiated Services Code Point</td>
1756 </tr>
1757 <tr>
1758 <td>comment <span class="since">(Since 0.8.5)</span></td>
1759 <td>STRING</td>
1760 <td>text with max. 256 characters</td>
1761 </tr>
1762 <tr>
1763 <td>state <span class="since">(Since 0.8.5)</span></td>
1764 <td>STRING</td>
1765 <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
1766 </tr>
1767 <tr>
1768 <td>ipset <span class="since">(Since 0.9.13)</span></td>
1769 <td>STRING</td>
1770 <td>The name of an IPSet managed outside of libvirt</td>
1771 </tr>
1772 <tr>
1773 <td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
1774 <td>IPSETFLAGS</td>
1775 <td>flags for the IPSet; requires ipset attribute</td>
1776 </tr>
1777 </table>
1779 <br/><br/>
1780 </p>
1782 <h5><a id="nwfelemsRulesProtoMiscv6">ESP, AH, UDPLITE, 'ALL' over IPv6</a></h5>
1784 Protocol ID: <code>esp-ipv6</code>, <code>ah-ipv6</code>, <code>udplite-ipv6</code>, <code>all-ipv6</code>
1785 <br/>
1786 Note: The chain parameter is ignored for this type of traffic
1787 and should either be omitted or set to <code>root</code>.
1788 </p>
1789 <table class="top_table">
1790 <tr>
1791 <th> Attribute </th>
1792 <th> Datatype </th>
1793 <th> Semantics </th>
1794 </tr>
1795 <tr>
1796 <td>srcmacaddr</td>
1797 <td>MAC_ADDR</td>
1798 <td>MAC address of sender</td>
1799 </tr>
1800 <tr>
1801 <td>srcipaddr</td>
1802 <td>IPV6_ADDR</td>
1803 <td>Source IPv6 address</td>
1804 </tr>
1805 <tr>
1806 <td>srcipmask</td>
1807 <td>IPV6_MASK</td>
1808 <td>Mask applied to source IPv6 address</td>
1809 </tr>
1810 <tr>
1811 <td>dstipaddr</td>
1812 <td>IPV6_ADDR</td>
1813 <td>Destination IPv6 address</td>
1814 </tr>
1815 <tr>
1816 <td>dstipmask</td>
1817 <td>IPV6_MASK</td>
1818 <td>Mask applied to destination IPv6 address</td>
1819 </tr>
1821 <tr>
1822 <td>srcipfrom</td>
1823 <td>IPV6_ADDR</td>
1824 <td>Start of range of source IP address</td>
1825 </tr>
1826 <tr>
1827 <td>srcipto</td>
1828 <td>IPV6_ADDR</td>
1829 <td>End of range of source IP address</td>
1830 </tr>
1831 <tr>
1832 <td>dstipfrom</td>
1833 <td>IPV6_ADDR</td>
1834 <td>Start of range of destination IP address</td>
1835 </tr>
1836 <tr>
1837 <td>dstipto</td>
1838 <td>IPV6_ADDR</td>
1839 <td>End of range of destination IP address</td>
1840 </tr>
1841 <tr>
1842 <td>dscp</td>
1843 <td>UINT8 (0x0-0x3f, 0 - 63)</td>
1844 <td>Differentiated Services Code Point</td>
1845 </tr>
1846 <tr>
1847 <td>comment <span class="since">(Since 0.8.5)</span></td>
1848 <td>STRING</td>
1849 <td>text with max. 256 characters</td>
1850 </tr>
1851 <tr>
1852 <td>state <span class="since">(Since 0.8.5)</span></td>
1853 <td>STRING</td>
1854 <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td>
1855 </tr>
1856 <tr>
1857 <td>ipset <span class="since">(Since 0.9.13)</span></td>
1858 <td>STRING</td>
1859 <td>The name of an IPSet managed outside of libvirt</td>
1860 </tr>
1861 <tr>
1862 <td>ipsetflags <span class="since">(Since 0.9.13)</span></td>
1863 <td>IPSETFLAGS</td>
1864 <td>flags for the IPSet; requires ipset attribute</td>
1865 </tr>
1866 </table>
1868 <br/><br/>
1869 </p>
1871 <h3><a id="nwfelemsRulesAdv">Advanced Filter Configuration Topics</a></h3>
1873 The following sections discuss advanced filter configuration
1874 topics.
1875 </p>
1877 <h4><a id="nwfelemsRulesAdvTracking">Connection tracking</a></h4>
1879 The network filtering subsystem (on Linux) makes use of the connection
1880 tracking support of iptables. This helps in enforcing the
1881 directionality of network traffic (state match) as well as
1882 counting and limiting the number of simultaneous connections towards
1883 a VM. As an example, if a VM has TCP port 8080
1884 open as a server, clients may connect to the VM on port 8080.
1885 Connection tracking and enforcement of directionality then prevents
1886 the VM from initiating a connection from
1887 (TCP client) port 8080 to the host back to a remote host.
1888 More importantly, tracking helps to prevent
1889 remote attackers from establishing a connection back to a VM. For example,
1890 if the user inside the VM established a connection to
1891 port 80 on an attacker site, then the attacker will not be able to
1892 initiate a connection from TCP port 80 back towards the VM.
1893 By default the connection state match that enables connection tracking
1894 and then enforcement of directionality of traffic is turned on. <br/>
1895 The following shows an example XML fragment where this feature has been
1896 turned off for incoming connections to TCP port 12345.
1897 </p>
1898 <pre>
1899 [...]
1900 &lt;rule direction='in' action='accept' statematch='false'&gt;
1901 &lt;tcp dstportstart='12345'/&gt;
1902 &lt;/rule&gt;
1903 [...]
1904 </pre>
1906 This now allows incoming traffic to TCP port 12345, but would also
1907 enable the initiation from (client) TCP port 12345 within the VM,
1908 which may or may not be desirable.
1909 </p>
1911 <h4><a id="nwfelemsRulesAdvLimiting">Limiting Number of Connections</a></h4>
1913 To limit the number of connections a VM may establish, a rule must
1914 be provided that sets a limit of connections for a given
1915 type of traffic. If for example a VM
1916 is supposed to be allowed to only ping one other IP address at a time
1917 and is supposed to have only one active incoming ssh connection at a
1918 time, the following XML fragment can be used to achieve this.
1919 </p>
1920 <pre>
1921 [...]
1922 &lt;rule action='drop' direction='in' priority='400'&gt;
1923 &lt;tcp connlimit-above='1'/&gt;
1924 &lt;/rule&gt;
1925 &lt;rule action='accept' direction='in' priority='500'&gt;
1926 &lt;tcp dstportstart='22'/&gt;
1927 &lt;/rule&gt;
1928 &lt;rule action='drop' direction='out' priority='400'&gt;
1929 &lt;icmp connlimit-above='1'/&gt;
1930 &lt;/rule&gt;
1931 &lt;rule action='accept' direction='out' priority='500'&gt;
1932 &lt;icmp/&gt;
1933 &lt;/rule&gt;
1934 &lt;rule action='accept' direction='out' priority='500'&gt;
1935 &lt;udp dstportstart='53'/&gt;
1936 &lt;/rule&gt;
1937 &lt;rule action='drop' direction='inout' priority='1000'&gt;
1938 &lt;all/&gt;
1939 &lt;/rule&gt;
1940 [...]
1941 </pre>
1943 Note that the rule for the limit has to logically appear
1944 before the rule for accepting the traffic.<br/>
1945 An additional rule for letting DNS traffic to port 22
1946 go out the VM has been added to avoid ssh sessions not
1947 getting established for reasons related to DNS lookup failures
1948 by the ssh daemon. Leaving this rule out may otherwise lead to
1949 fun-filled debugging joy (symptom: ssh client seems to hang
1950 while trying to connect).
1951 <br/><br/>
1952 Lot of care must be taken with timeouts related
1953 to tracking of traffic. An ICMP ping that
1954 the user may have terminated inside the VM may have a long
1955 timeout in the host's connection tracking system and therefore
1956 not allow another ICMP ping to go through for a while. Therefore,
1957 the timeouts have to be tuned in the host's sysfs, i.e.,
1958 </p>
1960 <pre>
1961 echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout
1962 </pre>
1964 sets the ICMP connection tracking timeout to 3 seconds. The
1965 effect of this is that once one ping is terminated, another
1966 one can start after 3 seconds.<br/>
1967 Further, we want to point out that a client that for whatever
1968 reason has not properly closed a TCP connection may cause a
1969 connection to be held open for a longer period of time,
1970 depending to what timeout the <code>TCP established</code> state
1971 timeout has been set to on the host. Also, idle connections may time
1972 out in the connection tracking system but can be reactivated once
1973 packets are exchanged. However, a newly initiated connection may force
1974 an idle connection into TCP backoff if the number of allowed connections
1975 is set to a too low limit, the new connection is established
1976 and hits (not exceeds) the limit of allowed connections and for
1977 example a key is pressed on the old ssh session, which now has become
1978 unresponsive due to its traffic being dropped.
1979 Therefore, the limit of connections should be rather high so that
1980 fluctuations in new TCP connections don't cause odd
1981 traffic behavior in relation to idle connections.
1982 </p>
1984 <h2><a id="nwfcli">Command line tools</a></h2>
1986 The libvirt command line tool <code>virsh</code> has been extended
1987 with life-cycle support for network filters. All commands related
1988 to the network filtering subsystem start with the prefix
1989 <code>nwfilter</code>. The following commands are available:
1990 </p>
1991 <ul>
1992 <li>nwfilter-list : list UUIDs and names of all network filters</li>
1993 <li>nwfilter-define : define a new network filter or update an existing one</li>
1994 <li>nwfilter-undefine : delete a network filter given its name; it must not be currently in use</li>
1995 <li>nwfilter-dumpxml : display a network filter given its name</li>
1996 <li>nwfilter-edit : edit a network filter given its name</li>
1997 </ul>
1999 <h2><a id="nwfexamples">Pre-existing network filters</a></h2>
2001 The following is a list of example network filters that are
2002 automatically installed with libvirt.</p>
2003 <table class="top_table">
2004 <tr>
2005 <th> Name </th>
2006 <th> Description </th>
2007 </tr>
2008 <tr>
2009 <td> no-arp-spoofing </td>
2010 <td> Prevent a VM from spoofing ARP traffic; this filter
2011 only allows ARP request and reply messages and enforces
2012 that those packets contain the MAC and IP addresses
2013 of the VM.</td>
2014 </tr>
2015 <tr>
2016 <td> allow-dhcp </td>
2017 <td> Allow a VM to request an IP address via DHCP (from any
2018 DHCP server)</td>
2019 </tr>
2020 <tr>
2021 <td> allow-dhcp-server </td>
2022 <td> Allow a VM to request an IP address from a specified
2023 DHCP server. The dotted decimal IP address of the DHCP
2024 server must be provided in a reference to this filter.
2025 The name of the variable must be <i>DHCPSERVER</i>.</td>
2026 </tr>
2027 <tr>
2028 <td> no-ip-spoofing </td>
2029 <td> Prevent a VM from sending of IP packets with
2030 a source IP address different from the one
2031 in the packet. </td>
2032 </tr>
2033 <tr>
2034 <td> no-ip-multicast </td>
2035 <td> Prevent a VM from sending IP multicast packets. </td>
2036 </tr>
2037 <tr>
2038 <td> clean-traffic </td>
2039 <td> Prevent MAC, IP and ARP spoofing. This filter references
2040 several other filters as building blocks. </td>
2041 </tr>
2042 </table>
2044 Note that most of the above filters are only building blocks and
2045 require a combination with other filters to provide useful network
2046 traffic filtering.
2047 The most useful one in the above list is the <i>clean-traffic</i>
2048 filter. This filter itself can for example be combined with the
2049 <i>no-ip-multicast</i>
2050 filter to prevent virtual machines from sending IP multicast traffic
2051 on top of the prevention of packet spoofing.
2052 </p>
2054 <h2><a id="nwfwrite">Writing your own filters</a></h2>
2057 Since libvirt only provides a couple of example networking filters, you
2058 may consider writing your own. When planning on doing so
2059 there are a couple of things
2060 you may need to know regarding the network filtering subsystem and how
2061 it works internally. Certainly you also have to know and understand
2062 the protocols very well that you want to be filtering on so that
2063 no further traffic than what you want can pass and that in fact the
2064 traffic you want to allow does pass.
2065 <br/><br/>
2066 The network filtering subsystem is currently only available on
2067 Linux hosts and only works for QEMU and KVM type of virtual machines.
2068 On Linux
2069 it builds upon the support for <code>ebtables</code>, <code>iptables
2070 </code> and <code>ip6tables</code> and makes use of their features.
2071 From the above list of supported protocols the following ones are
2072 implemented using <code>ebtables</code>:
2073 </p>
2074 <ul>
2075 <li>mac</li>
2076 <li>stp (spanning tree protocol)</li>
2077 <li>vlan (802.1Q)</li>
2078 <li>arp, rarp</li>
2079 <li>ipv4</li>
2080 <li>ipv6</li>
2081 </ul>
2084 All other protocols over IPv4 are supported using iptables, those over
2085 IPv6 are implemented using ip6tables.
2086 <br/><br/>
2087 On a Linux host, all traffic filtering instantiated by libvirt's network
2088 filter subsystem first passes through the filtering support implemented
2089 by ebtables and only then through iptables or ip6tables filters. If
2090 a filter tree has rules with the protocols <code>mac</code>,
2091 <code>stp</code>, <code>vlan</code>
2092 <code>arp</code>, <code>rarp</code>, <code>ipv4</code>,
2093 or <code>ipv6</code> ebtables rules will automatically be instantiated.
2094 <br/>
2095 The role of the <code>chain</code> attribute in the network filter
2096 XML is that internally a new user-defined ebtables table is created
2097 that then for example receives all <code>arp</code> traffic coming
2098 from or going to a virtual machine if the chain <code>arp</code>
2099 has been specified. Further, a rule is generated in an interface's
2100 <code>root</code> chain that directs all ipv4 traffic into the
2101 user-defined chain. Therefore, all ARP traffic rules should then be
2102 placed into filters specifying this chain. This type of branching
2103 into user-defined tables is only supported with filtering on the ebtables
2104 layer.
2105 <br/>
2106 <span class="since">Since 0.9.8</span> multiple chains for the same
2107 protocol can be created. For this the name of the chain must have
2108 a prefix of one of the previously enumerated protocols. To create an
2109 additional chain for handling of ARP traffic, a chain with name
2110 <code>arp-test</code> can be specified.
2111 <br/>
2112 As an example, it is
2113 possible to filter on UDP traffic by source and destination ports using
2114 the <code>ip</code> protocol filter and specifying attributes for the
2115 protocol, source and destination IP addresses and ports of UDP packets
2116 that are to be accepted. This allows
2117 early filtering of UDP traffic with ebtables. However, once an IP or IPv6
2118 packet, such as a UDP packet,
2119 has passed the ebtables layer and there is at least one rule in a filter
2120 tree that instantiates iptables or ip6tables rules, a rule to let
2121 the UDP packet pass will also be necessary to be provided for those
2122 filtering layers. This can be
2123 achieved with a rule containing an appropriate <code>udp</code> or
2124 <code>udp-ipv6</code> traffic filtering node.
2125 </p>
2127 <h3><a id="nwfwriteexample">Example custom filter</a></h3>
2129 As an example we want to now build a filter that fulfills the following
2130 list of requirements:
2131 </p>
2132 <ul>
2133 <li>prevents a VM's interface from MAC, IP and ARP spoofing</li>
2134 <li>opens only TCP ports 22 and 80 of a VM's interface</li>
2135 <li>allows the VM to send ping traffic from an interface
2136 but not let the VM be pinged on the interface</li>
2137 <li>allows the VM to do DNS lookups (UDP towards port 53)</li>
2138 </ul>
2140 The requirement to prevent spoofing is fulfilled by the existing
2141 <code>clean-traffic</code> network filter, thus we will reference this
2142 filter from our custom filter.
2143 <br/>
2144 To enable traffic for TCP ports 22 and 80 we will add 2 rules to
2145 enable this type of traffic. To allow the VM to send ping traffic
2146 we will add a rule for ICMP traffic. For simplicity reasons
2147 we allow general ICMP traffic to be initiated from the VM, not
2148 just ICMP echo request and response messages. To then
2149 disallow all other traffic to reach or be initiated by the
2150 VM we will then need to add a rule that drops all other traffic.
2151 Assuming our VM is called <i>test</i> and
2152 the interface we want to associate our filter with is called <i>eth0</i>,
2153 we name our filter <i>test-eth0</i>.
2154 The result of these considerations is the following network filter XML:
2155 </p>
2156 <pre>
2157 &lt;filter name='test-eth0'&gt;
2158 &lt;!-- reference the clean traffic filter to prevent
2159 MAC, IP and ARP spoofing. By not providing
2160 and IP address parameter, libvirt will detect the
2161 IP address the VM is using. --&gt;
2162 &lt;filterref filter='clean-traffic'/&gt;
2164 &lt;!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable --&gt;
2165 &lt;rule action='accept' direction='in'&gt;
2166 &lt;tcp dstportstart='22'/&gt;
2167 &lt;/rule&gt;
2169 &lt;rule action='accept' direction='in'&gt;
2170 &lt;tcp dstportstart='80'/&gt;
2171 &lt;/rule&gt;
2173 &lt;!-- enable general ICMP traffic to be initiated by the VM;
2174 this includes ping traffic --&gt;
2175 &lt;rule action='accept' direction='out'&gt;
2176 &lt;icmp/&gt;
2177 &lt;/rule&gt;
2179 &lt;!-- enable outgoing DNS lookups using UDP --&gt;
2180 &lt;rule action='accept' direction='out'&gt;
2181 &lt;udp dstportstart='53'/&gt;
2182 &lt;/rule&gt;
2184 &lt;!-- drop all other traffic --&gt;
2185 &lt;rule action='drop' direction='inout'&gt;
2186 &lt;all/&gt;
2187 &lt;/rule&gt;
2189 &lt;/filter&gt;
2190 </pre>
2192 Note that none of the rules in the above XML contain the
2193 IP address of the VM as either source or destination address, yet
2194 the filtering of the traffic works correctly. The reason is that
2195 the evaluation of the rules internally happens on a
2196 per-interface basis and the rules are evaluated based on the knowledge
2197 about which (tap) interface has sent or will receive the packet rather
2198 than what their source or destination IP address may be.
2199 <br/><br/>
2200 An XML fragment for a possible network interface description inside
2201 the domain XML of the <code>test</code> VM could then look like this:
2202 </p>
2203 <pre>
2204 [...]
2205 &lt;interface type='bridge'&gt;
2206 &lt;source bridge='mybridge'/&gt;
2207 &lt;filterref filter='test-eth0'/&gt;
2208 &lt;/interface&gt;
2209 [...]
2210 </pre>
2213 To more strictly control the ICMP traffic and enforce that only
2214 ICMP echo requests can be sent from the VM
2215 and only ICMP echo responses be received by the VM, the above
2216 <code>ICMP</code> rule can be replaced with the following two rules:
2217 </p>
2218 <pre>
2219 &lt;!-- enable outgoing ICMP echo requests--&gt;
2220 &lt;rule action='accept' direction='out'&gt;
2221 &lt;icmp type='8'/&gt;
2222 &lt;/rule&gt;
2224 &lt;!-- enable incoming ICMP echo replies--&gt;
2225 &lt;rule action='accept' direction='in'&gt;
2226 &lt;icmp type='0'/&gt;
2227 &lt;/rule&gt;
2228 </pre>
2230 <h3><a id="nwfwriteexample2nd">Second example custom filter</a></h3>
2232 In this example we now want to build a similar filter as in the
2233 example above, but extend the list of requirements with an
2234 ftp server located inside the VM. Further, we will be using features
2235 that have been added in <span class="since">version 0.8.5</span>.
2236 The requirements for this filter are:
2237 </p>
2238 <ul>
2239 <li>prevents a VM's interface from MAC, IP and ARP spoofing</li>
2240 <li>opens only TCP ports 22 and 80 of a VM's interface</li>
2241 <li>allows the VM to send ping traffic from an interface
2242 but not let the VM be pinged on the interface</li>
2243 <li>allows the VM to do DNS lookups (UDP towards port 53)</li>
2244 <li>enable an ftp server (in active mode) to be run inside the VM</li>
2245 </ul>
2247 The additional requirement of allowing an ftp server to be run inside
2248 the VM maps into the requirement of allowing port 21 to be reachable
2249 for ftp control traffic as well as enabling the VM to establish an
2250 outgoing tcp connection originating from the VM's TCP port 20 back to
2251 the ftp client (ftp active mode). There are several ways of how this
2252 filter can be written and we present 2 solutions.
2253 <br/><br/>
2254 The 1st solution makes use of the <code>state</code> attribute of
2255 the TCP protocol that gives us a hook into the connection tracking
2256 framework of the Linux host. For the VM-initiated ftp data connection
2257 (ftp active mode) we use the <code>RELATED</code> state that allows
2258 us to detect that the VM-initiated ftp data connection is a consequence of
2259 ( or 'has a relationship with' ) an existing ftp control connection,
2260 thus we want to allow it to let packets
2261 pass the firewall. The <code>RELATED</code> state, however, is only
2262 valid for the very first packet of the outgoing TCP connection for the
2263 ftp data path. Afterwards, the state to compare against is
2264 <code>ESTABLISHED</code>, which then applies equally
2265 to the incoming and outgoing direction. All this is related to the ftp
2266 data traffic originating from TCP port 20 of the VM. This then leads to
2267 the following solution
2268 <span class="since">(since 0.8.5 (QEMU, KVM))</span>:
2269 </p>
2270 <pre>
2271 &lt;filter name='test-eth0'&gt;
2272 &lt;!-- reference the clean traffic filter to prevent
2273 MAC, IP and ARP spoofing. By not providing
2274 and IP address parameter, libvirt will detect the
2275 IP address the VM is using. --&gt;
2276 &lt;filterref filter='clean-traffic'/&gt;
2278 &lt;!-- enable TCP port 21 (ftp-control) to be reachable --&gt;
2279 &lt;rule action='accept' direction='in'&gt;
2280 &lt;tcp dstportstart='21'/&gt;
2281 &lt;/rule&gt;
2283 &lt;!-- enable TCP port 20 for VM-initiated ftp data connection
2284 related to an existing ftp control connection --&gt;
2285 &lt;rule action='accept' direction='out'&gt;
2286 &lt;tcp srcportstart='20' state='RELATED,ESTABLISHED'/&gt;
2287 &lt;/rule&gt;
2289 &lt;!-- accept all packets from client on the ftp data connection --&gt;
2290 &lt;rule action='accept' direction='in'&gt;
2291 &lt;tcp dstportstart='20' state='ESTABLISHED'/&gt;
2292 &lt;/rule&gt;
2294 &lt;!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable --&gt;
2295 &lt;rule action='accept' direction='in'&gt;
2296 &lt;tcp dstportstart='22'/&gt;
2297 &lt;/rule&gt;
2299 &lt;rule action='accept' direction='in'&gt;
2300 &lt;tcp dstportstart='80'/&gt;
2301 &lt;/rule&gt;
2303 &lt;!-- enable general ICMP traffic to be initiated by the VM;
2304 this includes ping traffic --&gt;
2305 &lt;rule action='accept' direction='out'&gt;
2306 &lt;icmp/&gt;
2307 &lt;/rule&gt;
2309 &lt;!-- enable outgoing DNS lookups using UDP --&gt;
2310 &lt;rule action='accept' direction='out'&gt;
2311 &lt;udp dstportstart='53'/&gt;
2312 &lt;/rule&gt;
2314 &lt;!-- drop all other traffic --&gt;
2315 &lt;rule action='drop' direction='inout'&gt;
2316 &lt;all/&gt;
2317 &lt;/rule&gt;
2319 &lt;/filter&gt;
2320 </pre>
2322 Before trying out a filter using the <code>RELATED</code> state,
2323 you have to make sure that the appropriate connection tracking module
2324 has been loaded into the host's kernel. Depending on the version of the
2325 kernel, you must run either one of the following two commands before
2326 the ftp connection with the VM is established.
2327 </p>
2328 <pre>
2329 modprobe nf_conntrack_ftp # where available or
2331 modprobe ip_conntrack_ftp # if above is not available
2332 </pre>
2334 If other protocols than ftp are to be used in conjunction with the
2335 <code>RELATED</code> state, their corresponding module must be loaded.
2336 Modules exist at least for the protocols ftp, tftp, irc, sip,
2337 sctp, and amanda.
2338 </p>
2340 The 2nd solution makes uses the state flags of connections more
2341 than the previous solution did.
2342 In this solution we take advantage of the fact that the
2343 <code>NEW</code> state of a connection is valid when the very
2344 first packet of a traffic flow is seen. Subsequently, if the very first
2345 packet of a flow is accepted, the flow becomes a connection and enters
2346 the <code>ESTABLISHED</code> state. This allows us to write a general
2347 rule for allowing packets of <code>ESTABLISHED</code> connections to
2348 reach the VM or be sent by the VM.
2349 We write specific rules for the very first packets identified by the
2350 <code>NEW</code> state and for which ports they are acceptable. All
2351 packets for ports that are not explicitly accepted will be dropped and
2352 therefore the connection will not go into the <code>ESTABLISHED</code>
2353 state and any subsequent packets be dropped.
2354 </p>
2356 <pre>
2357 &lt;filter name='test-eth0'&gt;
2358 &lt;!-- reference the clean traffic filter to prevent
2359 MAC, IP and ARP spoofing. By not providing
2360 and IP address parameter, libvirt will detect the
2361 IP address the VM is using. --&gt;
2362 &lt;filterref filter='clean-traffic'/&gt;
2364 &lt;!-- let the packets of all previously accepted connections reach the VM --&gt;
2365 &lt;rule action='accept' direction='in'&gt;
2366 &lt;all state='ESTABLISHED'/&gt;
2367 &lt;/rule&gt;
2369 &lt;!-- let the packets of all previously accepted and related connections be sent from the VM --&gt;
2370 &lt;rule action='accept' direction='out'&gt;
2371 &lt;all state='ESTABLISHED,RELATED'/&gt;
2372 &lt;/rule&gt;
2374 &lt;!-- enable traffic towards port 21 (ftp), 22 (ssh) and 80 (http) --&gt;
2375 &lt;rule action='accept' direction='in'&gt;
2376 &lt;tcp dstportstart='21' dstportend='22' state='NEW'/&gt;
2377 &lt;/rule&gt;
2379 &lt;rule action='accept' direction='in'&gt;
2380 &lt;tcp dstportstart='80' state='NEW'/&gt;
2381 &lt;/rule&gt;
2383 &lt;!-- enable general ICMP traffic to be initiated by the VM;
2384 this includes ping traffic --&gt;
2385 &lt;rule action='accept' direction='out'&gt;
2386 &lt;icmp state='NEW'/&gt;
2387 &lt;/rule&gt;
2389 &lt;!-- enable outgoing DNS lookups using UDP --&gt;
2390 &lt;rule action='accept' direction='out'&gt;
2391 &lt;udp dstportstart='53' state='NEW'/&gt;
2392 &lt;/rule&gt;
2394 &lt;!-- drop all other traffic --&gt;
2395 &lt;rule action='drop' direction='inout'&gt;
2396 &lt;all/&gt;
2397 &lt;/rule&gt;
2399 &lt;/filter&gt;
2401 </pre>
2403 <h2><a id="nwflimits">Limitations</a></h2>
2405 The following sections list (current) limitations of the network
2406 filtering subsystem.
2407 </p>
2409 <h3><a id="nwflimitsmigr">VM Migration</a></h3>
2411 VM migration is only supported if the whole filter tree
2412 that is referenced by a virtual machine's top level filter
2413 is also available on the target host. The network filter
2414 <i>clean-traffic</i>
2415 for example should be available on all libvirt installations
2416 of version 0.8.1 or later and thus enable migration of VMs that
2417 for example reference this filter. All other
2418 custom filters must be migrated using higher layer software. It is
2419 outside the scope of libvirt to ensure that referenced filters
2420 on the source system are equivalent to those on the target system
2421 and vice versa.
2422 <br/><br/>
2423 Migration must occur between libvirt installations of version
2424 0.8.1 or later in order not to lose the network traffic filters
2425 associated with an interface.
2426 </p>
2427 <h3><a id="nwflimitsvlan">VLAN filtering on Linux</a></h3>
2429 VLAN (802.1Q) packets, if sent by a virtual machine, cannot be filtered
2430 with rules for protocol IDs <code>arp</code>, <code>rarp</code>,
2431 <code>ipv4</code> and <code>ipv6</code> but only
2432 with protocol IDs <code>mac</code> and <code>vlan</code>. Therefore,
2433 the example filter <code>clean-traffic</code> will not work as expected.
2434 </p>
2435 </body>
2436 </html>