Forum: >>> Magnum BBS <<<

Firewalld + libvirt rules conflict

From Nick@21:1/5 to All on Tue Dec 28 14:50:01 2021

Using KVM/libvirt in NAT mode to run VM guests needs forwarding to be
enabled in order to redirect host port to vm port. Libvirt add iptables
rules to do it's magic in addition I had to add some more rules like:

iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j
ACCEPT

or

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o
virbr0 -j ACCEPT

This works on the fly but not when firewalld is reload because the rule
goes at the bottom of the FORWARD chain where it's supposed to be at the
top.

This works

Chain FORWARD (policy ACCEPT)
target prot opt source destination ACCEPT all -- anywhere anywhere LIBVIRT_FWX all -- anywhere anywhere LIBVIRT_FWI all -- anywhere anywhere LIBVIRT_FWO all -- anywhere anywhere

This doesn't work

Chain FORWARD (policy ACCEPT)
target prot opt source destination LIBVIRT_FWX all -- anywhere anywhere LIBVIRT_FWI all -- anywhere anywhere LIBVIRT_FWO all -- anywhere anywhere ACCEPT all -- anywhere anywhere

As it seems there is no way to insert the needed rule at the top even
with -I FORWARD 1 upon firewall-cmd --reload, so what options there are
left to avoid additional work every time firewalld is reloaded?

There are a number of articles on the topic (qemu hook hack etc) but non
of them seems to provide a working solution for this case.

Please advice.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Benoit Hivert@21:1/5 to All on Tue Dec 28 19:40:02 2021

Put the rule in a network hook script (https://www.libvirt.org/hooks.html)

Le mar. 28 déc. 2021 à 14:49, Nick <decrofn@gmail.com> a écrit :

Using KVM/libvirt in NAT mode to run VM guests needs forwarding to be
enabled in order to redirect host port to vm port. Libvirt add iptables
rules to do it's magic in addition I had to add some more rules like:

iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j ACCEPT

or

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o
virbr0 -j ACCEPT

This works on the fly but not when firewalld is reload because the rule
goes at the bottom of the FORWARD chain where it's supposed to be at the
top.

This works

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere

This doesn't work

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

As it seems there is no way to insert the needed rule at the top even
with -I FORWARD 1 upon firewall-cmd --reload, so what options there are
left to avoid additional work every time firewalld is reloaded?

There are a number of articles on the topic (qemu hook hack etc) but non
of them seems to provide a working solution for this case.

Please advice.

<div dir="ltr">Put the rule in a network hook script (<a href="https://www.libvirt.org/hooks.html">https://www.libvirt.org/hooks.html</a>)</div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mar. 28 déc. 2021 à 14:49, Nick <<a
href="mailto:decrofn@gmail.com">decrofn@gmail.com</a>> a écrit : </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Using KVM/libvirt in NAT mode to run VM guests needs
forwarding to be 
enabled in order to redirect host port to vm port. Libvirt add iptables rules to do it's magic in addition I had to add some more rules like: 

iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j ACCEPT 

or 

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o 
virbr0 -j ACCEPT 

This works on the fly but not when firewalld is reload because the rule goes at the bottom of the FORWARD chain where it's supposed to be at the 
top. 

This works 

Chain FORWARD (policy ACCEPT) 
target prot opt source destination ACCEPT all -- anywhere anywhere LIBVIRT_FWX all -- anywhere anywhere LIBVIRT_FWI all -- anywhere anywhere LIBVIRT_FWO all -- anywhere anywhere 

This doesn't work 

Chain FORWARD (policy ACCEPT) 
target prot opt source destination LIBVIRT_FWX all -- anywhere anywhere LIBVIRT_FWI all -- anywhere anywhere LIBVIRT_FWO all -- anywhere anywhere ACCEPT all -- anywhere anywhere 

As it seems there is no way to insert the needed rule at the top even 
with -I FORWARD 1 upon firewall-cmd --reload, so what options there are left to avoid additional work every time firewalld is reloaded? 

There are a number of articles on the topic (qemu hook hack etc) but non of them seems to provide a working solution for this case. 

Please advice. 

</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Nick@21:1/5 to All on Wed Dec 29 02:40:03 2021

This is a multi-part message in MIME format.
I don't see any difference, hook is not triggered after firewall-cmd
--reload.

Reading the https://www.libvirt.org/hooks.html#location

/etc/libvirt/hooks/network
Executed when a network is started or stopped or an interface is plugged/unplugged to/from the network <-- this doesn't seem to be
exactly what is needed as no such events occur.

At this point systemctl restart libvirtd will trigger /etc/libvirt/hooks/network and insert the desired rules which I think is strange because there is /etc/libvirt/hooks/daemon for this.

--
*This server is power by 220V*

<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
I don't see any difference, hook is not triggered after
firewall-cmd --reload.
 

Reading the <a class="moz-txt-link-freetext" href="https://www.libvirt.org/hooks.html#location">https://www.libvirt.org/hooks.html#location</a> 

/etc/libvirt/hooks/network 
Executed when a network is started or stopped or an interface is
plugged/unplugged to/from the network <-- this doesn't seem to
be exactly what is needed as no such events occur. 

At this point systemctl restart libvirtd will trigger
/etc/libvirt/hooks/network and insert the desired rules which I
think is strange because there is /etc/libvirt/hooks/daemon for
this. 

<div class="moz-signature">-- 
This server is power by 220V</div>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Nick@21:1/5 to All on Wed Dec 29 02:20:01 2021

I don't see any difference, hook is not triggered after firewall-cmd
--reload.

Reading the https://www.libvirt.org/hooks.html#location

/etc/libvirt/hooks/network
Executed when a network is started or stopped or an interface is plugged/unplugged to/from the network <-- this doesn't seem to be
exactly what is needed as no such events occur.

At this point systemctl restart libvirtd will trigger /etc/libvirt/hooks/network and insert the desired rules which I think is strange because there is /etc/libvirt/hooks/daemon for this.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Briels
  Tue Apr 23 20:54:03 2024
  from Uk via SSH
- Michal Wronka
  Wed Apr 24 14:13:57 2024
  from Wroclaw, Poland via SSH
- Michal Wronka
  Wed Apr 24 14:02:51 2024
  from Wroclaw, Poland via SSH
- Guest
  Wed Apr 24 01:40:10 2024
  from A via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	296
Nodes:	16 (2 / 14)
Uptime:	36:45:36
Calls:	6,648
Calls today:	3
Files:	12,193
Messages:	5,329,124

Firewalld + libvirt rules conflict

Who's Online

Recent Visitors

System Info