[Pkg-libvirt-maintainers] Bug#1090355: Bug#1090355: libvirt-daemon-driver-network: Switch of firewall backend to nftables breaks NAT for guest machines

Andrea Bolognani eof at kiyuko.org
Wed Dec 18 17:39:24 GMT 2024 

[re-added the bug report]

On Tue, Dec 17, 2024 at 08:13:07PM +0100, Max Hofer wrote:
> You were right. It is the combination of Docker with libvirt using
> `nftables` as firewall backend which breaks NAT.
> 
> I could reproduce it by using the default firewall backend, removing
> docker.io, reboot machine, restarted the default network with `sudo virsh
> net-start default` -->  guest system could access internet.
> 
> Interestingly, with this setup, no firewall rules are created at all and NAT
> is still working.
> 
> Reinstalling docker.io, keeping nftables as firewall backedn -->  guest
> system could not access the internet.
> 
> `iptables -nL` doesn't show any LIBVIRT_* chains.
> 
> Changing firewall backend to iptables, reboot, restart libvirt network -->
> guest system could access internet. NAT chains LIBVIRT_* are created.

When using the nftables backend, the rules will not be created using
iptables so that tool won't know about them.

If you run "nftables list ruleset" you should see a bunch of
libvirt-related rules.

Note that iptables is using the same kernel API as nftables these
days, at least unless you go out of your way to tell it not to:

  $ update-alternatives --query iptables
  Name: iptables
  Link: /usr/sbin/iptables
  Slaves:
   iptables-restore /usr/sbin/iptables-restore
   iptables-save /usr/sbin/iptables-save
  Status: auto
  Best: /usr/sbin/iptables-nft
  Value: /usr/sbin/iptables-nft

  Alternative: /usr/sbin/iptables-legacy
  Priority: 10
  Slaves:
   iptables-restore /usr/sbin/iptables-legacy-restore
   iptables-save /usr/sbin/iptables-legacy-save

  Alternative: /usr/sbin/iptables-nft
  Priority: 20
  Slaves:
   iptables-restore /usr/sbin/iptables-nft-restore
   iptables-save /usr/sbin/iptables-nft-save

> I think it would be a good idea to document it somewhere, since the
> combination of libvirt+docker.io installation is not uncommon.

I agree.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20241218/8457640b/attachment.sig>

More information about the Pkg-libvirt-maintainers mailing list