On Tue, Dec 17, 2024 at 11:39:06AM +0100, Max Hofer wrote: > Package: libvirt-daemon-driver-network > Version: 10.10.0-3 > Severity: normal > > Upgrading to libvirt breaks the internett access to my guest machines > using NAT forwarding. Default firewalld is installed. > > I attached the iptables rules from libvirt 10.10.0-1 (using iptables as > firewall backend) and the new one after the upgrade with the nftables as > backend. > > Workaround: enable setting 'firewall_backend = "iptables"' in > /etc/libvirt/network.conf restores the old behavior.
[...] > *filter > :INPUT ACCEPT [40677:4186813] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [41189:72181069] > :DOCKER - [0:0] > :DOCKER-ISOLATION-STAGE-1 - [0:0] > :DOCKER-ISOLATION-STAGE-2 - [0:0] > :DOCKER-USER - [0:0] > :LIBVIRT_FWI - [0:0] > :LIBVIRT_FWO - [0:0] > :LIBVIRT_FWX - [0:0] > :LIBVIRT_INP - [0:0] > :LIBVIRT_OUT - [0:0] > -A INPUT -j LIBVIRT_INP > -A FORWARD -j LIBVIRT_FWX > -A FORWARD -j LIBVIRT_FWI > -A FORWARD -j LIBVIRT_FWO > -A FORWARD -j DOCKER-USER > -A FORWARD -j DOCKER-ISOLATION-STAGE-1 > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -o docker0 -j DOCKER > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > -A FORWARD -i docker0 -o docker0 -j ACCEPT > -A OUTPUT -j LIBVIRT_OUT > -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j > DOCKER-ISOLATION-STAGE-2 > -A DOCKER-ISOLATION-STAGE-1 -j RETURN > -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP > -A DOCKER-ISOLATION-STAGE-2 -j RETURN > -A DOCKER-USER -j RETURN > -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT > -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable > -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT > -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable > -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT > -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT > -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT > -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT > -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT > -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT > -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT > -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT > -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT > COMMIT Thanks for reaching out. I'm no firewall expert but I see that there are some Docker rules in there, so I think you might be hitting the same issue mentioned here: https://fedoraproject.org/wiki/Changes/LibvirtVirtualNetworkNFTables#Known_issue:_docker Can you try disabling Docker and checking whether the libvirt nftables backend works as expected then? We might need to document this incompatibility more prominently, for example in the release notes. -- Andrea Bolognani <e...@kiyuko.org> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
