[Pkg-libvirt-maintainers] Bug#1090355: Bug#1090355: libvirt-daemon-driver-network: Switch of firewall backend to nftables breaks NAT for guest machines

Andrea Bolognani eof at kiyuko.org
Fri Dec 20 17:23:14 GMT 2024


On Fri, Dec 20, 2024 at 10:28:32AM +0100, NoisyCoil wrote:
> > This too is a known issue:
> >
> > https://fedoraproject.org/wiki/Changes/LibvirtVirtualNetworkNFTables#Known_issue:_non-firewalld_firewall_mgmt_tools
> 
> Confirmed. DHCP not working is how I first learned about this issue, and the
> behavior I see is that described in [1]. With respect to distros, one of the
> libvirt maintainers says:
> 
> > The immediate workaround is for anyone who uses UFW to tell libvirt to switch
> > back to its iptables backend again. If UFW is Arch's default firewall tool,
> > then Arch builds of libvirt should be made to set iptables as the default.
> 
> Debian has no default firewall, but ufw's popcon is 20990 vs firewalld's 5010.

Additional data point. ufw is installed and enabled by default on
Ubuntu server. Docker is one of the documented alternatives among
container runtimes; Podman isn't.

I think it's obvious at this point that the default should go back to
iptables. Users can easily switch to nftables if desired, but things
should work reasonably well out of the box.

I'll prepare a patch and an upload over the next few days.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20241220/f0fd45e6/attachment.sig>


More information about the Pkg-libvirt-maintainers mailing list