[Pkg-utopia-maintainers] Bug#909574: firewalld: FirewallBackend=nftables breaks NAT networks in libvirt
Tomas Janousek
tomi at nomi.cz
Tue Sep 25 14:45:25 BST 2018
Package: firewalld
Version: 0.6.2-1
Severity: normal
From <https://firewalld.org/2018/07/nftables-backend>:
"The main consequence for users is that firewall rules created outside of
firewalld (e.g. libvirt, docker, user, etc) will take precedence over
firewalld’s rules."
but unfortunately also:
"For firewalld this means packets may be accepted early by custom iptables
or nftables rules, but will still be subject to firewalld’s rules."
libvirt starts dnsmasq:
# ss -lpn '( sport = 53 or sport = 67 )' | grep dnsmasq
udp UNCONN 0 0 192.168.122.1:53 0.0.0.0:* users:(("dnsmasq",pid=3990102,fd=5))
udp UNCONN 0 0 0.0.0.0%virbr0:67 0.0.0.0:* users:(("dnsmasq",pid=3990102,fd=3))
tcp LISTEN 0 32 192.168.122.1:53 0.0.0.0:* users:(("dnsmasq",pid=3990102,fd=6))
and adds some iptables rules:
# iptables-save | grep 'INPUT.*virbr.*ACCEPT'
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
As mentioned above, these rules aren't enough for the packet to be accepted,
nftables would need to be configured to accept 53/67 from virbr0 as well.
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains explains:
"if a packet gets accepted/dropped and there is a later chain in the same
hook which is ordered with a later priority, the packet will be evaluated
*again*"
According to https://bbs.archlinux.org/viewtopic.php?id=239362, this breaks
docker as well. :-(
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (980, 'testing-debug'), (980, 'testing'), (980, 'stable'), (500, 'unstable-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'stable'), (200, 'experimental-debug'), (200, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages firewalld depends on:
ii dbus 1.12.10-1
ii gir1.2-glib-2.0 1.58.0-1
ii iptables 1.6.2-1.1
ii nftables 0.9.0-1
ii policykit-1 0.105-21
ii python3 3.6.6-1
ii python3-dbus 1.2.8-2+b1
ii python3-gi 3.30.1-1
ii python3-slip-dbus 0.6.5-2
Versions of packages firewalld recommends:
ii ebtables 2.0.10.4-5
ii ipset 6.34-1
firewalld suggests no packages.
-- Configuration Files:
/etc/firewalld/firewalld.conf [Errno 13] Operace zamítnuta: '/etc/firewalld/firewalld.conf'
/etc/firewalld/lockdown-whitelist.xml [Errno 13] Operace zamítnuta: '/etc/firewalld/lockdown-whitelist.xml'
-- no debconf information
--
Tomáš Janoušek, a.k.a. Pivník, a.k.a. Liskni_si, http://work.lisk.in/
More information about the Pkg-utopia-maintainers
mailing list