[Pkg-libvirt-maintainers] Bug#959114: libvirt-daemon: I should be able to stop libvirtd from futzing with my firewall
Mark
mark_reportbug at mailinator.com
Wed Apr 29 15:12:45 BST 2020
Package: libvirt-daemon
Version: 5.0.0-4+deb10u1
Severity: normal
Tags: upstream
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I have set up a bridge manually:
cat /etc/network/interfaces
--- snip ---
auto dmz
iface dmz inet static
# Reserved KVM MAC addresses: 52:54:00:xx:xx:xx (Nb. a8=168, 1b=27)
hwaddress ether 52:54:00:00:00:01
address 192.168.0.1/24
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_maxwait 0
I have also disabled the default network used by kvm as follows:
virsh net-destroy default
virsh net-undefine default
I have configured my own firewall using nftables:
cat /etc/nftables.conf
flush ruleset
define lan_if = "eth0"
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
oif $lan_if masquerade
}
}
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
I have installed several kvm virtual machines running debian.
Everything works well, except:
Every time I reboot, libvirtd futzes with my firewall.
libvirtd calls iptables, ip6tables and ebtables and creates the following
additional tables and chains:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table bridge filter {
chain INPUT {
type filter hook input priority -200; policy accept;
}
chain FORWARD {
type filter hook forward priority -200; policy accept;
}
chain OUTPUT {
type filter hook output priority -200; policy accept;
}
}
I don't want these added and I can't seem to get systemd to rerun my nftables
script after libvirtd does its thing.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I have tried setting up a systemd service as follows:
cat /etc/systemd/system/firewall
[Unit]
Description=firewall
Requires=network-online.target libvirtd.service
After=network-online.target libvirtd.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecReload=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush ruleset
[Install]
WantedBy=multi-user.target
I was hoping this would run after libvirtd and override what it did. But this
didn't work. It seems that libvirtd takes time to complete and the iptables
calls come after my firewall.system service fires even though I added the
Requires= and After= lines.
I moved the file /usr/sbin/xtables-nft-multi to /usr/sbin/xtables-nft-multi-
saved
and this did work because then libvirtd was unable to do its calls to
(eb|ip|ip6)tables but this is not really a solution because if the package is
updated some time in the future the binary executable could be re-installed
without me recognising.
* What was the outcome of this action?
Frustration.
* What outcome did you expect instead?
I expect there should be some way to tell libvirtd to not make any calls to
iptables. Leave my firewall alone! I will configure my firewall how I want it
to be.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon depends on:
ii libacl1 2.2.53-4
ii libapparmor1 2.13.2-10
ii libaudit1 1:2.8.4-3
ii libavahi-client3 0.7-4+b1
ii libavahi-common3 0.7-4+b1
ii libblkid1 2.33.1-0.1
ii libc6 2.28-10
ii libcap-ng0 0.7.9-2
ii libcurl3-gnutls 7.64.0-4+deb10u1
ii libdbus-1-3 1.12.16-1
ii libdevmapper1.02.1 2:1.02.155-3
ii libfuse2 2.9.9-1
ii libgcc1 1:8.3.0-6
ii libgnutls30 3.6.7-4+deb10u3
pn libnetcf1 <none>
ii libnl-3-200 3.4.0-1
ii libnl-route-3-200 3.4.0-1
ii libnuma1 2.0.12-1
ii libparted2 3.2-25
ii libpcap0.8 1.8.1-6
ii libpciaccess0 0.14-1
ii libsasl2-2 2.1.27+dfsg-1+deb10u1
ii libselinux1 2.8-1+b1
ii libssh2-1 1.8.0-2.1
ii libudev1 241-7~deb10u3
pn libvirt0 <none>
pn libxenmisc4.11 <none>
pn libxenstore3.0 <none>
pn libxentoollog1 <none>
ii libxml2 2.9.4+dfsg1-7+b3
ii libyajl2 2.1.0-3
Versions of packages libvirt-daemon recommends:
ii libxml2-utils 2.9.4+dfsg1-7+b3
pn netcat-openbsd <none>
pn qemu-kvm | qemu <none>
Versions of packages libvirt-daemon suggests:
pn libvirt-daemon-driver-storage-gluster <none>
pn libvirt-daemon-driver-storage-rbd <none>
pn libvirt-daemon-driver-storage-zfs <none>
pn libvirt-daemon-system <none>
pn numad <none>
More information about the Pkg-libvirt-maintainers
mailing list