Groups | Search | Server Info | Login | Register

Groups > linux.debian.maint.firewall > #123

Re: Firewalld + libvirt rules conflict

From Benoit Hivert <hivert.benoit@gmail.com>
Newsgroups linux.debian.maint.firewall
Subject Re: Firewalld + libvirt rules conflict
Date 2021-12-28 19:40 +0100
Message-ID <Dzpya-654-15@gated-at.bofh.it> (permalink)
References <Dzl1v-3eO-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Put the rule in a network hook script (https://www.libvirt.org/hooks.html)

Le mar. 28 déc. 2021 à 14:49, Nick <decrofn@gmail.com> a écrit :

> Using KVM/libvirt in NAT mode to run VM guests needs forwarding to be
> enabled in order to redirect host port to vm port. Libvirt add iptables
> rules to do it's magic in addition I had to add some more rules like:
>
> iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j
> ACCEPT
>
> or
>
> firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o
> virbr0 -j ACCEPT
>
>
> This works on the fly but not when firewalld is reload because the rule
> goes at the bottom of the FORWARD chain where it's supposed to be at the
> top.
>
>
> This works
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> LIBVIRT_FWX  all  --  anywhere             anywhere
> LIBVIRT_FWI  all  --  anywhere             anywhere
> LIBVIRT_FWO  all  --  anywhere             anywhere
>
>
> This doesn't work
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> LIBVIRT_FWX  all  --  anywhere             anywhere
> LIBVIRT_FWI  all  --  anywhere             anywhere
> LIBVIRT_FWO  all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
>
>
> As it seems there is no way to insert the needed rule at the top even
> with -I FORWARD 1 upon firewall-cmd --reload, so what options there are
> left to avoid additional work every time firewalld is reloaded?
>
>
> There are a number of articles on the topic (qemu hook hack etc) but non
> of them seems to provide a working solution for this case.
>
>
> Please advice.
>
>

Back to linux.debian.maint.firewall | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Firewalld + libvirt rules conflict Nick <decrofn@gmail.com> - 2021-12-28 14:50 +0100
  Re: Firewalld + libvirt rules conflict Benoit Hivert <hivert.benoit@gmail.com> - 2021-12-28 19:40 +0100
    Re: Firewalld + libvirt rules conflict Nick <decrofn@gmail.com> - 2021-12-29 02:20 +0100
    Re: Firewalld + libvirt rules conflict Nick <amp@nforced.net> - 2021-12-29 02:40 +0100

csiph-web