[Pkg-libvirt-maintainers] Bug#902561: libvirt-daemon: libvirt injects rules into iptables that disable packet filtering

Mikulas Patocka mikulas at twibright.com
Wed Jun 27 22:20:44 BST 2018 

Package: libvirt-daemon
Version: 3.0.0-4+deb9u3
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

I set up a routed network for virtual machines with this configuration:

<network>
  <name>default</name>
  <uuid>eabed2d7-13e3-4bde-a812-f6bb6ce881a6</uuid>
  <forward mode='route'/>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:9c:a3:fc'/>
  <ip address='192.168.208.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.208.128' end='192.168.208.254'/>
    </dhcp>
  </ip>
  </ip>
</network>


   * What exactly did you do (or not do) that was effective (or
     ineffective)?

I start the virtual network with this command:
# virsh net-start default

   * What was the outcome of this action?

libvirt adds these rules to the beginning of the FORWARD chain.
This completely bypasses any pre-existing rules and makes it impossible
to do packet filtering for virtual machines.
-A FORWARD -d 192.168.208.0/24 -o virbr0 -j ACCEPT
-A FORWARD -s 192.168.208.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

   * What outcome did you expect instead?

Either the rules should be not added at all - or they should be added at
the end of the FORWARD chain, so that they will not bypass existing
rules and allow network filtering for virtual machines.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armel, armhf

Kernel: Linux 4.17.2 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libvirt-daemon depends on:
ii  libapparmor1        2.11.0-3+deb9u2
ii  libaudit1           1:2.6.7-2
ii  libavahi-client3    0.6.32-2
ii  libavahi-common3    0.6.32-2
ii  libblkid1           2.29.2-1+deb9u1
ii  libc6               2.24-11+deb9u3
ii  libcap-ng0          0.7.7-3+b1
ii  libdbus-1-3         1.10.26-0+deb9u1
ii  libdevmapper1.02.1  2:1.02.137-2
ii  libfuse2            2.9.7-1
ii  libgnutls30         3.5.8-5+deb9u3
ii  libnetcf1           1:0.2.8-1+b2
ii  libnl-3-200         3.2.27-2
ii  libnl-route-3-200   3.2.27-2
ii  libnuma1            2.0.11-2.1
ii  libparted2          3.2-17
ii  libpcap0.8          1.8.1-3
ii  libpciaccess0       0.13.4-1+b2
ii  librados2           10.2.5-7.2
ii  librbd1             10.2.5-7.2
ii  libsasl2-2          2.1.27~101-g0780600+dfsg-3
ii  libselinux1         2.6-3+b3
ii  libssh2-1           1.7.0-1
ii  libudev1            232-25+deb9u2
ii  libvirt0            3.0.0-4+deb9u3
ii  libxen-4.8          4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8
ii  libxenstore3.0      4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8
ii  libxml2             2.9.4+dfsg1-2.2+deb9u2
ii  libyajl2            2.1.0-2+b3

Versions of packages libvirt-daemon recommends:
ii  libxml2-utils   2.9.4+dfsg1-2.2+deb9u2
ii  netcat-openbsd  1.130-3
ii  qemu            1:2.8+dfsg-6+deb9u4

Versions of packages libvirt-daemon suggests:
ii  libvirt-daemon-system  3.0.0-4+deb9u3
pn  numad                  <none>

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list