Path: csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!bofh.it!news.nic.it!robomod From: Benoit Hivert Newsgroups: linux.debian.maint.firewall Subject: Re: Firewalld + libvirt rules conflict Date: Tue, 28 Dec 2021 19:40:02 +0100 Message-ID: References: X-Original-To: Nick X-Mailbox-Line: From debian-firewall-request@lists.debian.org Tue Dec 28 18:39:27 2021 Old-Return-Path: X-Amavis-Spam-Status: No, score=-5.199 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 X-Gm-Message-State: AOAM531fyBgr3OLwVhywrIeTexR2r4SHYY1G4+qWxfFsz1tgyFZPcSbT pG4QwQUHRpo1tzVuSmJ9Zip7rJq4ZJ8d+A/UAO8= X-Google-SMTP-Source: ABdhPJyRt9qGcqVz0brKhaZ4CPuWztN1utVDknPSmj2VBcHkeQ5gEt64wKuDjgNqNr22xxxqNKxAjE0KgyJ6UNRRs/Q= X-Received: by 2002:ab0:3148:: with SMTP id e8mr6966133uam.62.1640716747515; Tue, 28 Dec 2021 10:39:07 -0800 (PST) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000e9aad705d439220d" X-Mailing-List: archive/latest/9562 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/CAH-hTEQ3qe_azcSCAyRv2C+eAuumhKv9JDfqU4LMf3W5V-MZqQ@mail.gmail.com Approved: robomod@news.nic.it Lines: 140 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-firewall@lists.debian.org X-Original-Date: Tue, 28 Dec 2021 19:38:56 +0100 X-Original-Message-ID: X-Original-References: Xref: csiph.com linux.debian.maint.firewall:123 --000000000000e9aad705d439220d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Put the rule in a network hook script (https://www.libvirt.org/hooks.html) Le mar. 28 d=C3=A9c. 2021 =C3=A0 14:49, Nick a =C3=A9cr= it : > Using KVM/libvirt in NAT mode to run VM guests needs forwarding to be > enabled in order to redirect host port to vm port. Libvirt add iptables > rules to do it's magic in addition I had to add some more rules like: > > iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j > ACCEPT > > or > > firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o > virbr0 -j ACCEPT > > > This works on the fly but not when firewalld is reload because the rule > goes at the bottom of the FORWARD chain where it's supposed to be at the > top. > > > This works > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere > LIBVIRT_FWX all -- anywhere anywhere > LIBVIRT_FWI all -- anywhere anywhere > LIBVIRT_FWO all -- anywhere anywhere > > > This doesn't work > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > LIBVIRT_FWX all -- anywhere anywhere > LIBVIRT_FWI all -- anywhere anywhere > LIBVIRT_FWO all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > > > As it seems there is no way to insert the needed rule at the top even > with -I FORWARD 1 upon firewall-cmd --reload, so what options there are > left to avoid additional work every time firewalld is reloaded? > > > There are a number of articles on the topic (qemu hook hack etc) but non > of them seems to provide a working solution for this case. > > > Please advice. > > --000000000000e9aad705d439220d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Put the rule in a network hook script (https://www.libvirt.org/hooks.html)
Le=C2=A0= mar. 28 d=C3=A9c. 2021 =C3=A0=C2=A014:49, Nick <decrofn@gmail.com> a =C3=A9crit=C2=A0:
Using KVM/libvirt in NAT mode to= run VM guests needs forwarding to be
enabled in order to redirect host port to vm port. Libvirt add iptables rules to do it's magic in addition I had to add some more rules like:
iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j ACCEPT

or

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o
virbr0 -j ACCEPT


This works on the fly but not when firewalld is reload because the rule goes at the bottom of the FORWARD chain where it's supposed to be at th= e
top.


This works

Chain FORWARD (policy ACCEPT)
target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt source=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination
ACCEPT=C2=A0=C2=A0=C2=A0=C2=A0 all=C2=A0 --=C2=A0 anywhere=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere
LIBVIRT_FWX=C2=A0 all=C2=A0 --=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere
LIBVIRT_FWI=C2=A0 all=C2=A0 --=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere
LIBVIRT_FWO=C2=A0 all=C2=A0 --=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere


This doesn't work

Chain FORWARD (policy ACCEPT)
target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt source=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 destination
LIBVIRT_FWX=C2=A0 all=C2=A0 --=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere
LIBVIRT_FWI=C2=A0 all=C2=A0 --=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere
LIBVIRT_FWO=C2=A0 all=C2=A0 --=C2=A0 anywhere=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere
ACCEPT=C2=A0=C2=A0=C2=A0=C2=A0 all=C2=A0 --=C2=A0 anywhere=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 anywhere


As it seems there is no way to insert the needed rule at the top even
with -I FORWARD 1 upon firewall-cmd --reload, so what options there are left to avoid additional work every time firewalld is reloaded?


There are a number of articles on the topic (qemu hook hack etc) but non of them seems to provide a working solution for this case.


Please advice.

--000000000000e9aad705d439220d--