[Pkg-libvirt-maintainers] Bug#1090355: Bug#1090355: libvirt-daemon-driver-network: Switch of firewall backend to nftables breaks NAT for guest machines
Andrea Bolognani
eof at kiyuko.org
Tue Dec 17 12:51:09 GMT 2024
On Tue, Dec 17, 2024 at 11:39:06AM +0100, Max Hofer wrote:
> Package: libvirt-daemon-driver-network
> Version: 10.10.0-3
> Severity: normal
>
> Upgrading to libvirt breaks the internett access to my guest machines
> using NAT forwarding. Default firewalld is installed.
>
> I attached the iptables rules from libvirt 10.10.0-1 (using iptables as
> firewall backend) and the new one after the upgrade with the nftables as
> backend.
>
> Workaround: enable setting 'firewall_backend = "iptables"' in
> /etc/libvirt/network.conf restores the old behavior.
[...]
> *filter
> :INPUT ACCEPT [40677:4186813]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [41189:72181069]
> :DOCKER - [0:0]
> :DOCKER-ISOLATION-STAGE-1 - [0:0]
> :DOCKER-ISOLATION-STAGE-2 - [0:0]
> :DOCKER-USER - [0:0]
> :LIBVIRT_FWI - [0:0]
> :LIBVIRT_FWO - [0:0]
> :LIBVIRT_FWX - [0:0]
> :LIBVIRT_INP - [0:0]
> :LIBVIRT_OUT - [0:0]
> -A INPUT -j LIBVIRT_INP
> -A FORWARD -j LIBVIRT_FWX
> -A FORWARD -j LIBVIRT_FWI
> -A FORWARD -j LIBVIRT_FWO
> -A FORWARD -j DOCKER-USER
> -A FORWARD -j DOCKER-ISOLATION-STAGE-1
> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -o docker0 -j DOCKER
> -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
> -A FORWARD -i docker0 -o docker0 -j ACCEPT
> -A OUTPUT -j LIBVIRT_OUT
> -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
> -A DOCKER-ISOLATION-STAGE-1 -j RETURN
> -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
> -A DOCKER-ISOLATION-STAGE-2 -j RETURN
> -A DOCKER-USER -j RETURN
> -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
> COMMIT
Thanks for reaching out.
I'm no firewall expert but I see that there are some Docker rules in
there, so I think you might be hitting the same issue mentioned here:
https://fedoraproject.org/wiki/Changes/LibvirtVirtualNetworkNFTables#Known_issue:_docker
Can you try disabling Docker and checking whether the libvirt
nftables backend works as expected then?
We might need to document this incompatibility more prominently, for
example in the release notes.
--
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20241217/5d5a4023/attachment.sig>
More information about the Pkg-libvirt-maintainers
mailing list