[Pkg-libvirt-maintainers] Bug#902561: libvirt-daemon: libvirt injects rules into iptables that disable packet filtering
Mikulas Patocka
mikulas at twibright.com
Wed Jun 27 22:20:44 BST 2018
Package: libvirt-daemon
Version: 3.0.0-4+deb9u3
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I set up a routed network for virtual machines with this configuration:
<network>
<name>default</name>
<uuid>eabed2d7-13e3-4bde-a812-f6bb6ce881a6</uuid>
<forward mode='route'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:9c:a3:fc'/>
<ip address='192.168.208.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.208.128' end='192.168.208.254'/>
</dhcp>
</ip>
</ip>
</network>
* What exactly did you do (or not do) that was effective (or
ineffective)?
I start the virtual network with this command:
# virsh net-start default
* What was the outcome of this action?
libvirt adds these rules to the beginning of the FORWARD chain.
This completely bypasses any pre-existing rules and makes it impossible
to do packet filtering for virtual machines.
-A FORWARD -d 192.168.208.0/24 -o virbr0 -j ACCEPT
-A FORWARD -s 192.168.208.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
* What outcome did you expect instead?
Either the rules should be not added at all - or they should be added at
the end of the FORWARD chain, so that they will not bypass existing
rules and allow network filtering for virtual machines.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 9.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armel, armhf
Kernel: Linux 4.17.2 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libvirt-daemon depends on:
ii libapparmor1 2.11.0-3+deb9u2
ii libaudit1 1:2.6.7-2
ii libavahi-client3 0.6.32-2
ii libavahi-common3 0.6.32-2
ii libblkid1 2.29.2-1+deb9u1
ii libc6 2.24-11+deb9u3
ii libcap-ng0 0.7.7-3+b1
ii libdbus-1-3 1.10.26-0+deb9u1
ii libdevmapper1.02.1 2:1.02.137-2
ii libfuse2 2.9.7-1
ii libgnutls30 3.5.8-5+deb9u3
ii libnetcf1 1:0.2.8-1+b2
ii libnl-3-200 3.2.27-2
ii libnl-route-3-200 3.2.27-2
ii libnuma1 2.0.11-2.1
ii libparted2 3.2-17
ii libpcap0.8 1.8.1-3
ii libpciaccess0 0.13.4-1+b2
ii librados2 10.2.5-7.2
ii librbd1 10.2.5-7.2
ii libsasl2-2 2.1.27~101-g0780600+dfsg-3
ii libselinux1 2.6-3+b3
ii libssh2-1 1.7.0-1
ii libudev1 232-25+deb9u2
ii libvirt0 3.0.0-4+deb9u3
ii libxen-4.8 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8
ii libxenstore3.0 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8
ii libxml2 2.9.4+dfsg1-2.2+deb9u2
ii libyajl2 2.1.0-2+b3
Versions of packages libvirt-daemon recommends:
ii libxml2-utils 2.9.4+dfsg1-2.2+deb9u2
ii netcat-openbsd 1.130-3
ii qemu 1:2.8+dfsg-6+deb9u4
Versions of packages libvirt-daemon suggests:
ii libvirt-daemon-system 3.0.0-4+deb9u3
pn numad <none>
-- no debconf information
More information about the Pkg-libvirt-maintainers
mailing list