[Pkg-utopia-maintainers] Bug#909574: firewalld: FirewallBackend=nftables breaks NAT networks in libvirt

Tomas Janousek tomi at nomi.cz
Tue Sep 25 14:45:25 BST 2018 

Package: firewalld
Version: 0.6.2-1
Severity: normal

From <https://firewalld.org/2018/07/nftables-backend>:

    "The main consequence for users is that firewall rules created outside of
    firewalld (e.g. libvirt, docker, user, etc) will take precedence over
    firewalld’s rules."

but unfortunately also:

    "For firewalld this means packets may be accepted early by custom iptables
    or nftables rules, but will still be subject to firewalld’s rules."

libvirt starts dnsmasq:

    # ss -lpn '( sport = 53 or sport = 67 )' | grep dnsmasq
    udp    UNCONN   0        0            192.168.122.1:53            0.0.0.0:*      users:(("dnsmasq",pid=3990102,fd=5))
    udp    UNCONN   0        0           0.0.0.0%virbr0:67            0.0.0.0:*      users:(("dnsmasq",pid=3990102,fd=3))
    tcp    LISTEN   0        32           192.168.122.1:53            0.0.0.0:*      users:(("dnsmasq",pid=3990102,fd=6))

and adds some iptables rules:

    # iptables-save | grep 'INPUT.*virbr.*ACCEPT'
    -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT

As mentioned above, these rules aren't enough for the packet to be accepted,
nftables would need to be configured to accept 53/67 from virbr0 as well.
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains explains:

    "if a packet gets accepted/dropped and there is a later chain in the same
    hook which is ordered with a later priority, the packet will be evaluated
    *again*"

According to https://bbs.archlinux.org/viewtopic.php?id=239362, this breaks
docker as well. :-(

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (980, 'testing-debug'), (980, 'testing'), (980, 'stable'), (500, 'unstable-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'stable'), (200, 'experimental-debug'), (200, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firewalld depends on:
ii  dbus               1.12.10-1
ii  gir1.2-glib-2.0    1.58.0-1
ii  iptables           1.6.2-1.1
ii  nftables           0.9.0-1
ii  policykit-1        0.105-21
ii  python3            3.6.6-1
ii  python3-dbus       1.2.8-2+b1
ii  python3-gi         3.30.1-1
ii  python3-slip-dbus  0.6.5-2

Versions of packages firewalld recommends:
ii  ebtables  2.0.10.4-5
ii  ipset     6.34-1

firewalld suggests no packages.

-- Configuration Files:
/etc/firewalld/firewalld.conf [Errno 13] Operace zamítnuta: '/etc/firewalld/firewalld.conf'
/etc/firewalld/lockdown-whitelist.xml [Errno 13] Operace zamítnuta: '/etc/firewalld/lockdown-whitelist.xml'

-- no debconf information

-- 
Tomáš Janoušek, a.k.a. Pivník, a.k.a. Liskni_si, http://work.lisk.in/

More information about the Pkg-utopia-maintainers mailing list