Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Firewalld + libvirt rules conflict
242 views
Skip to first unread message
Nick
Dec 28, 2021, 8:50:03 AM12/28/21
to
Using KVM/libvirt in NAT mode to run VM guests needs forwarding to be
enabled in order to redirect host port to vm port. Libvirt add iptables
rules to do it's magic in addition I had to add some more rules like:
iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j
ACCEPT
or
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o
virbr0 -j ACCEPT
This works on the fly but not when firewalld is reload because the rule
goes at the bottom of the FORWARD chain where it's supposed to be at the
top.
This works
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
This doesn't work
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
As it seems there is no way to insert the needed rule at the top even
with -I FORWARD 1 upon firewall-cmd --reload, so what options there are
left to avoid additional work every time firewalld is reloaded?
There are a number of articles on the topic (qemu hook hack etc) but non
of them seems to provide a working solution for this case.
Please advice.
enabled in order to redirect host port to vm port. Libvirt add iptables
rules to do it's magic in addition I had to add some more rules like:
iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j
ACCEPT
or
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o
virbr0 -j ACCEPT
This works on the fly but not when firewalld is reload because the rule
goes at the bottom of the FORWARD chain where it's supposed to be at the
top.
This works
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
This doesn't work
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
As it seems there is no way to insert the needed rule at the top even
with -I FORWARD 1 upon firewall-cmd --reload, so what options there are
left to avoid additional work every time firewalld is reloaded?
There are a number of articles on the topic (qemu hook hack etc) but non
of them seems to provide a working solution for this case.
Please advice.
Benoit Hivert
Dec 28, 2021, 1:40:04 PM12/28/21
to
Put the rule in a network hook script (https://www.libvirt.org/hooks.html)
Nick
Dec 28, 2021, 8:20:02 PM12/28/21
to
I don't see any difference, hook is not triggered after firewall-cmd
--reload.
Reading the https://www.libvirt.org/hooks.html#location
/etc/libvirt/hooks/network
Executed when a network is started or stopped or an interface is
plugged/unplugged to/from the network <-- this doesn't seem to be
exactly what is needed as no such events occur.
At this point systemctl restart libvirtd will trigger
/etc/libvirt/hooks/network and insert the desired rules which I think is
strange because there is /etc/libvirt/hooks/daemon for this.
--reload.
Reading the https://www.libvirt.org/hooks.html#location
/etc/libvirt/hooks/network
Executed when a network is started or stopped or an interface is
plugged/unplugged to/from the network <-- this doesn't seem to be
exactly what is needed as no such events occur.
At this point systemctl restart libvirtd will trigger
/etc/libvirt/hooks/network and insert the desired rules which I think is
strange because there is /etc/libvirt/hooks/daemon for this.
Nick
Dec 28, 2021, 8:40:04 PM12/28/21
to
--
This server is power by 220V
This server is power by 220V
0 new messages