[Pkg-libvirt-maintainers] Bug#942368: libvirt-daemon: firewall rules lost when firewalld restarts
Sam Morris
sam at robots.org.uk
Tue Oct 15 11:27:38 BST 2019
Package: libvirt-daemon
Version: 5.6.0-2
Severity: normal
My virtual machines often lose connectivity to external networks. This
seems to be because libvirt's iptables rules are missing:
root at fragarach:~# iptables -nv -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID PKTTYPE = unicast LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = unicast LOG flags 0 level 4 prefix "FINAL_REJECT: "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
This is fixed by restarting firewalld:
root at fragarach:~# systemctl restart libvirtd
root at fragarach:~# iptables -nv -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID PKTTYPE = unicast LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = unicast LOG flags 0 level 4 prefix "FINAL_REJECT: "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
I'm guessing the method that libvirtd uses to watch when firewalld
reloads the firewall, so that libvirt can add its own rules, is not
always effective.
-- System Information:
Debian Release: 10.1
APT prefers stable-debug
APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon depends on:
ii libblkid1 2.33.1-0.1
ii libc6 2.29-2
ii libcap-ng0 0.7.9-2
ii libdbus-1-3 1.12.16-1
ii libdevmapper1.02.1 2:1.02.155-3
ii libfuse2 2.9.9-1
ii libgcc1 1:8.3.0-6
ii libgnutls30 3.6.9-5
ii libnetcf1 1:0.2.8-1+b2
ii libparted2 3.2-25
ii libpcap0.8 1.8.1-6
ii libpciaccess0 0.14-1
ii libselinux1 2.8-1+b1
ii libudev1 241-7~deb10u1
ii libvirt0 5.6.0-2
ii libxenmisc4.11 4.11.1+92-g6c33308a8d-2
ii libxenstore3.0 4.11.1+92-g6c33308a8d-2
ii libxentoollog1 4.11.1+92-g6c33308a8d-2
ii libxml2 2.9.4+dfsg1-7+b3
Versions of packages libvirt-daemon recommends:
ii libxml2-utils 2.9.4+dfsg1-7+b3
ii netcat-openbsd 1.195-2
ii qemu-kvm 1:3.1+dfsg-8+deb10u2
Versions of packages libvirt-daemon suggests:
pn libvirt-daemon-driver-storage-gluster <none>
pn libvirt-daemon-driver-storage-rbd <none>
pn libvirt-daemon-driver-storage-zfs <none>
ii libvirt-daemon-system 5.6.0-2
pn numad <none>
-- no debconf information
More information about the Pkg-libvirt-maintainers
mailing list