From nobody Sat May 4 12:10:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1569601040; cv=none; d=zoho.com; s=zohoarc; b=HUEsCs3j1pzsRFcMMCe9pYEptBkDQ4PjD8Vqwbq3mdutdWOZVLr/5GLd40Ni0svLXMjHc0d3d5XYu2cmT5h0SUWFEn3XA8lJh7n/TPbzJJtoofZIdVevd7OkzN/zFQhh9xgakwY1Ir09Q2g/+qSSa2VphlH1zG4Azyy2Y3AOO08= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1569601040; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results; bh=Jfdp0KrII6NVG1Z13E8ZDmWBTIuakbg2KOjasAHf0N4=; b=ZvUe9DX9lXLdfLeCpylJA86eFRP4zSewsyzOXlXj0B2Ijm//Wg23wZ2pOaonxyh6KsC74xkL0ZZTtxN058Wps6vRZTFg+seHzTLHDFvueBsYDnBQupamsTr4j1g9P3KXmSj3TMLtGvhx6Qj4RwbFNbLImweqGDCqIv+XtTGC4lU= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1569601040070154.47132537122013; Fri, 27 Sep 2019 09:17:20 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 28CDC18CB8E9; Fri, 27 Sep 2019 16:17:17 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F41525D9C9; Fri, 27 Sep 2019 16:17:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0C4AA4EBC9; Fri, 27 Sep 2019 16:17:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x8RGH9bA013713 for ; Fri, 27 Sep 2019 12:17:09 -0400 Received: by smtp.corp.redhat.com (Postfix) id 53D905D6B2; Fri, 27 Sep 2019 16:17:09 +0000 (UTC) Received: from domokun.gsslab.fab.redhat.com (dhcp-94.gsslab.fab.redhat.com [10.33.9.94]) by smtp.corp.redhat.com (Postfix) with ESMTP id 73B455D6A7; Fri, 27 Sep 2019 16:17:06 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Fri, 27 Sep 2019 17:16:55 +0100 Message-Id: <20190927161655.7101-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Cc: Malina Salina Subject: [libvirt] [PATCH] network: allow DHCP/DNS/TFTP explicitly in OUTPUT rules X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.63]); Fri, 27 Sep 2019 16:17:18 +0000 (UTC) From: Malina Salina While the default iptables setup used by Fedora/RHEL distros only restricts traffic on the INPUT and/or FORWARD rules, some users might have custom firewalls that restrict the OUTPUT rules too. These can prevent DHCP/DNS/TFTP responses from dnsmasq from reaching the guest VMs. We should thus whitelist these protocols in the OUTPUT chain, as well as the INPUT chain. Signed-off-by: Malina Salina Initial patch then modified to add unit tests and IPv6 support Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 2 + src/network/bridge_driver_linux.c | 29 ++++++++++--- src/util/viriptables.c | 36 ++++++++++++++++ src/util/viriptables.h | 8 ++++ .../nat-default-linux.args | 21 ++++++++++ .../nat-ipv6-linux.args | 42 +++++++++++++++++++ .../nat-many-ips-linux.args | 21 ++++++++++ .../nat-no-dhcp-linux.args | 42 +++++++++++++++++++ .../nat-tftp-linux.args | 28 +++++++++++++ .../route-default-linux.args | 21 ++++++++++ 10 files changed, 244 insertions(+), 6 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 7b681fac64..83b97af364 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2186,6 +2186,7 @@ iptablesAddForwardRejectIn; iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum; iptablesAddTcpInput; +iptablesAddTcpOutput; iptablesAddUdpInput; iptablesAddUdpOutput; iptablesRemoveDontMasquerade; @@ -2198,6 +2199,7 @@ iptablesRemoveForwardRejectIn; iptablesRemoveForwardRejectOut; iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; +iptablesRemoveTcpOutput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; iptablesSetDeletePrivate; diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 35459c10d1..0b6ff45b17 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -553,18 +553,23 @@ networkAddGeneralIPv4FirewallRules(virFirewallPtr fw, break; } =20 - /* allow DHCP requests through to dnsmasq */ + /* allow DHCP requests through to dnsmasq & back out */ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); =20 - /* allow DNS requests through to dnsmasq */ + /* allow DNS requests through to dnsmasq & back out */ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); =20 - /* allow TFTP requests through to dnsmasq if necessary */ - if (ipv4def && ipv4def->tftproot) + /* allow TFTP requests through to dnsmasq if necessary & back out*/ + if (ipv4def && ipv4def->tftproot) { iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); + } =20 /* Catch all rules to block forwarding to/from bridges */ iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); @@ -592,13 +597,18 @@ networkRemoveGeneralIPv4FirewallRules(virFirewallPtr = fw, iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge= ); iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridg= e); =20 - if (ipv4def && ipv4def->tftproot) + if (ipv4def && ipv4def->tftproot) { iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 6= 9); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, = 69); + } =20 iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53); =20 iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68); iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); } @@ -626,10 +636,14 @@ networkAddGeneralIPv6FirewallRules(virFirewallPtr fw, iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); =20 if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { - /* allow DNS over IPv6 */ + /* allow DNS over IPv6 & back out */ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); + /* allow DHCPv6 & back out */ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); + iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546= ); } } =20 @@ -643,7 +657,10 @@ networkRemoveGeneralIPv6FirewallRules(virFirewallPtr f= w, } =20 if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 546); iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 47); + iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); + iptablesRemoveTcpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, = 53); iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 3); iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 5= 3); } diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 0e3c0ad73a..46d0c3df7a 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -303,6 +303,42 @@ iptablesRemoveUdpInput(virFirewallPtr fw, iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0); } =20 +/** + * iptablesAddTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the TCP port to add + * + * Add an output to the IP table allowing access to the given @port from + * the given @iface interface for TCP packets + */ +void +iptablesAddTcpOutput(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, true, iface, port, ADD, 1); +} + +/** + * iptablesRemoveTcpOutput: + * @ctx: pointer to the IP table context + * @iface: the interface name + * @port: the UDP port to remove + * + * Removes an output from the IP table, hence forbidding access to the giv= en + * @port from the given @iface interface for TCP packets + */ +void +iptablesRemoveTcpOutput(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int port) +{ + iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 1); +} + /** * iptablesAddUdpOutput: * @ctx: pointer to the IP table context diff --git a/src/util/viriptables.h b/src/util/viriptables.h index feea988acd..07b4851013 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -45,6 +45,14 @@ void iptablesRemoveUdpInput (virFir= ewallPtr fw, const char *iface, int port); =20 +void iptablesAddTcpOutput (virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int port); +void iptablesRemoveTcpOutput (virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int port); void iptablesAddUdpOutput (virFirewallPtr fw, virFirewallLayer layer, const char *iface, diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index c9d523d043..ab18f30bd0 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.args index a57b9266af..05d9ee33ca 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT @@ -81,11 +102,32 @@ ip6tables \ --jump ACCEPT ip6tables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT iptables \ --table filter \ --insert LIBVIRT_FWO \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.args index 1bdc43fd6a..82e1380f51 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.args index 7d359f3824..8954cc5473 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT @@ -81,11 +102,32 @@ ip6tables \ --jump ACCEPT ip6tables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ --destination-port 547 \ --jump ACCEPT +ip6tables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT iptables \ --table filter \ --insert LIBVIRT_FWO \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.args index b721801b70..88e9929b62 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ --protocol udp \ @@ -42,6 +63,13 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 69 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.args index ed3c560f74..c427d9602d 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -16,6 +16,13 @@ iptables \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ --protocol udp \ --destination-port 68 \ --jump ACCEPT @@ -35,6 +42,20 @@ iptables \ --jump ACCEPT iptables \ --table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +--table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list