Groups | Search | Server Info | Login | Register

Groups > linux.debian.maint.firewall > #122

Firewalld + libvirt rules conflict

From Nick <decrofn@gmail.com>
Newsgroups linux.debian.maint.firewall
Subject Firewalld + libvirt rules conflict
Date 2021-12-28 14:50 +0100
Message-ID <Dzl1v-3eO-1@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

Using KVM/libvirt in NAT mode to run VM guests needs forwarding to be 
enabled in order to redirect host port to vm port. Libvirt add iptables 
rules to do it's magic in addition I had to add some more rules like:

iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j 
ACCEPT

or

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o 
virbr0 -j ACCEPT


This works on the fly but not when firewalld is reload because the rule 
goes at the bottom of the FORWARD chain where it's supposed to be at the 
top.


This works

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
LIBVIRT_FWX  all  --  anywhere             anywhere
LIBVIRT_FWI  all  --  anywhere             anywhere
LIBVIRT_FWO  all  --  anywhere             anywhere


This doesn't work

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LIBVIRT_FWX  all  --  anywhere             anywhere
LIBVIRT_FWI  all  --  anywhere             anywhere
LIBVIRT_FWO  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere


As it seems there is no way to insert the needed rule at the top even 
with -I FORWARD 1 upon firewall-cmd --reload, so what options there are 
left to avoid additional work every time firewalld is reloaded?


There are a number of articles on the topic (qemu hook hack etc) but non 
of them seems to provide a working solution for this case.


Please advice.

Back to linux.debian.maint.firewall | Previous | NextNext in thread | Find similar

Thread

Firewalld + libvirt rules conflict Nick <decrofn@gmail.com> - 2021-12-28 14:50 +0100
  Re: Firewalld + libvirt rules conflict Benoit Hivert <hivert.benoit@gmail.com> - 2021-12-28 19:40 +0100
    Re: Firewalld + libvirt rules conflict Nick <decrofn@gmail.com> - 2021-12-29 02:20 +0100
    Re: Firewalld + libvirt rules conflict Nick <amp@nforced.net> - 2021-12-29 02:40 +0100

csiph-web