[Pkg-libvirt-maintainers] Bug#1090355: Bug#1090355: libvirt-daemon-driver-network: Switch of firewall backend to nftables breaks NAT for guest machines

Andrea Bolognani eof at kiyuko.org
Wed Dec 18 21:41:08 GMT 2024


On Wed, Dec 18, 2024 at 12:47:53PM +0100, NoisyCoil wrote:
> I see the same behavior by simply having ufw installed and enabled, no special
> rules, no docker installed. Disabling ufw or manually adding blanket INPUT and
> FORWARD rules to enable incoming and outgoing traffic from/to the virbr+
> interfaces fixes this, but neither is a good solution.
> 
> It seems that libvirt should provide extra firewall rules if it wants to play
> nicely with nftables. Having ufw (or docker, or anything else really) installed
> should not prevent NAT from working. On the other hand, if for some reason this
> is the new intended behavior, then the change should be documented together
> with the precise list of rules needed to enable NAT when the default for INPUT
> and FORWARD is DROP (i.e. usually whenever a firewall is active).

This too is a known issue:

  https://fedoraproject.org/wiki/Changes/LibvirtVirtualNetworkNFTables#Known_issue:_non-firewalld_firewall_mgmt_tools

Both this and the Docker incompatibility are probably fine in the
context of a distro such as Fedora, where firewalld and Podman are
the "blessed" solutions in their respective fields, but Debian is
much less opinionated than that.

I need to spend some more time thinking about this, but switching the
default network backend back to iptables might be the most reasonable
solution.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20241218/c976ba1b/attachment.sig>


More information about the Pkg-libvirt-maintainers mailing list