On Wed, Dec 18, 2024 at 12:47:53PM +0100, NoisyCoil wrote: > I see the same behavior by simply having ufw installed and enabled, no special > rules, no docker installed. Disabling ufw or manually adding blanket INPUT and > FORWARD rules to enable incoming and outgoing traffic from/to the virbr+ > interfaces fixes this, but neither is a good solution. > > It seems that libvirt should provide extra firewall rules if it wants to play > nicely with nftables. Having ufw (or docker, or anything else really) > installed > should not prevent NAT from working. On the other hand, if for some reason > this > is the new intended behavior, then the change should be documented together > with the precise list of rules needed to enable NAT when the default for INPUT > and FORWARD is DROP (i.e. usually whenever a firewall is active).
This too is a known issue: https://fedoraproject.org/wiki/Changes/LibvirtVirtualNetworkNFTables#Known_issue:_non-firewalld_firewall_mgmt_tools Both this and the Docker incompatibility are probably fine in the context of a distro such as Fedora, where firewalld and Podman are the "blessed" solutions in their respective fields, but Debian is much less opinionated than that. I need to spend some more time thinking about this, but switching the default network backend back to iptables might be the most reasonable solution. -- Andrea Bolognani <e...@kiyuko.org> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
