[Pkg-libvirt-maintainers] Bug#1090355: libvirt-daemon-driver-network: Switch of firewall backend to nftables breaks NAT for guest machines
NoisyCoil
noisycoil at tutanota.com
Wed Dec 18 11:47:53 GMT 2024
Package: libvirt-daemon-driver-network
Version: 10.10.0-3
Followup-For: Bug #1090355
X-Debbugs-Cc: noisycoil at tutanota.com
I see the same behavior by simply having ufw installed and enabled, no special
rules, no docker installed. Disabling ufw or manually adding blanket INPUT and
FORWARD rules to enable incoming and outgoing traffic from/to the virbr+
interfaces fixes this, but neither is a good solution.
It seems that libvirt should provide extra firewall rules if it wants to play
nicely with nftables. Having ufw (or docker, or anything else really) installed
should not prevent NAT from working. On the other hand, if for some reason this
is the new intended behavior, then the change should be documented together
with the precise list of rules needed to enable NAT when the default for INPUT
and FORWARD is DROP (i.e. usually whenever a firewall is active).
More information about the Pkg-libvirt-maintainers
mailing list