[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: filter network traffic of KVM guests.


On Fri, May 18, 2018 at 10:47:11AM +1200, Richard Hector wrote:
> On 18/05/18 08:11, Reco wrote:
> >> I read it's deprecated to use iptables on a linux bridge. [1]
> > Yup, you should not.
> Interesting, I wasn't aware of that.

dmesg(1) says to this:

bridge: filtering via arp/ip/ip6tables is no longer available by
default. Update your scripts to load br_netfilter if you need this.

That's on stock Debian kernel version 4.9.
I tell you, reading logs leads to interesting discoveries sometimes ;).

> Does that just apply to running iptables on the host?

No. You need to have Linux bridge configured, and you need to apply at
least one netfilter rule to one of the bridge's slave interfaces. That's
then things start breaking.

> Or should I also not run it in the vm (eg on a rented VPS, where I
> assume the net device is backed by a bridge)?

You're safe ☺. Nobody's taking away your ability to configure netfilter
*inside* the VPS, that was working, and that will work. You VPS
provider, on the other hand, may have a huge headache.

> Presumably if it causes a security hole, I shouldn't be _able_ to run it
> in the VM?

No, it's not like this. For netfilter/iptables rules to apply every
packet that traverses brigde should register in several netfilter hooks
(parts of kernel code).

Either upstream is trying to unify exisiting netfilter_ip4,
netfilter_ipv6, netfilter_arp and whatever that thing called that's
utilized by ebtables. Currently these are four copy-pasted parts of

Or they are aiming at performance gains - it's more or less common
knowledge that you don't use Linux kernel's IP stack starting with
40Gpbs, you bypass it as it's faster.


Reply to: