You are not logged in.

Pages: 1

#1 2024-06-07 08:10:35

tachtler
Member
Registered: 2020-08-23
Posts: 25

[SOLVED] - libvirtd missing iptables rules since networkmanager update

Hi,

after an update of the package "networkmanager" the iptables firewall rules for DHCP/DNS are missing for a virtual network (virbr0 = default / 192.168.122.0/24) after a restart of libvirtd.service.

Does anyone else have this problem and possibly a solution?

Thanks in advance and best regards
Klaus.

Last edited by tachtler (2024-06-12 12:31:29)

Offline

#2 2024-06-07 12:21:31

ITALIEN
Member
Registered: 2023-09-28
Posts: 6

Re: [SOLVED] - libvirtd missing iptables rules since networkmanager update

No solution but I also have this issue after networkmanager update.

Offline

#3 2024-06-07 13:10:32

tachtler
Member
Registered: 2020-08-23
Posts: 25

Re: [SOLVED] - libvirtd missing iptables rules since networkmanager update

Hi,

iptables before: (btrfs-snapshot from a few days before)!

# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun  7 14:59:54 2024
*mangle
:PREROUTING ACCEPT [31:3998]
:INPUT ACCEPT [29:3172]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:2048]
:POSTROUTING ACCEPT [32:2048]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Jun  7 14:59:54 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun  7 14:59:54 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [32:2048]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j LOG --log-prefix "REC-INP Defend " --log-level 5
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Fri Jun  7 14:59:54 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun  7 14:59:54 2024
*nat
:PREROUTING ACCEPT [4:1326]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [12:728]
:POSTROUTING ACCEPT [12:728]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Jun  7 14:59:54 2024

ip6tables before: (btrfs-snapshot from a few days before)!

# Generated by ip6tables-save v1.8.10 (nf_tables) on Fri Jun  7 14:59:59 2024
*mangle
:PREROUTING ACCEPT [7:344]
:INPUT ACCEPT [7:344]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21:1864]
:POSTROUTING ACCEPT [27:2152]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Fri Jun  7 14:59:59 2024
# Generated by ip6tables-save v1.8.10 (nf_tables) on Fri Jun  7 14:59:59 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [21:1864]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j LOG --log-prefix "REC-INP Defend " --log-level 5
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j REJECT --reject-with icmp6-addr-unreachable
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d fd00:0:0:22::/118 -o virbr0 -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp6-port-unreachable
-A LIBVIRT_FWO -s fd00:0:0:22::/118 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp6-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 547 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 546 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Fri Jun  7 14:59:59 2024
# Generated by ip6tables-save v1.8.10 (nf_tables) on Fri Jun  7 14:59:59 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Fri Jun  7 14:59:59 2024

Maybe this can help?

Greetings
Klaus.

Last edited by tachtler (2024-06-07 13:11:02)

Offline

#4 2024-06-07 13:17:12

AaAaAAaaAAaARCH
Member
Registered: 2024-02-29
Posts: 42

Re: [SOLVED] - libvirtd missing iptables rules since networkmanager update

There are some changes in the default network backend of libvirt dated a week ago, check if the rules are not created in nftables instead

sudo nft list ruleset

This can be configured in network.conf
https://github.com/libvirt/libvirt/blob … rk.conf.in

Last edited by AaAaAAaaAAaARCH (2024-06-07 13:38:27)

Offline

#5 2024-06-08 05:19:52

tachtler
Member
Registered: 2020-08-23
Posts: 25

Re: [SOLVED] - libvirtd missing iptables rules since networkmanager update

Hi AaAaAAaaAAaARCH,

yes you're right, BUT these rules are NOT active, when I list all iptables (only ipv4 for example) rules?

# iptables-nft -4 -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j LOG --log-prefix "REC-INP Defend " --log-level 5
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -j LOG --log-prefix "REC-FWD Defend " --log-level 5

But the nft command (only ipv4 for example) shows me this:

# nft list ruleset ip
table ip libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		counter packets 0 bytes 0 jump guest_cross
		counter packets 0 bytes 0 jump guest_input
		counter packets 0 bytes 0 jump guest_output
	}

	chain guest_output {
		ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept
		iif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_input {
		oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
		oif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_cross {
		iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
	}

	chain guest_nat {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 1 bytes 40 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
	}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		xt match "conntrack" counter packets 125 bytes 66883 accept
		ip protocol icmp counter packets 0 bytes 0 accept
		iifname "lo" counter packets 0 bytes 0 accept
		tcp dport 22 counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 xt target "LOG"
		ip protocol tcp counter packets 0 bytes 0 xt target "REJECT"
		ip protocol udp counter packets 0 bytes 0 xt target "REJECT"
		counter packets 0 bytes 0 xt target "REJECT"
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 xt target "LOG"
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}
}

What did I do wrong?

Greetings
Klaus.

Offline

#6 2024-06-08 07:55:03

tachtler
Member
Registered: 2020-08-23
Posts: 25

Re: [SOLVED] - libvirtd missing iptables rules since networkmanager update

Hi,

I've opened a BUG-Report -> https://gitlab.com/libvirt/libvirt/-/issues/645

My solution was to change 

/etc/libvirt/network.conf

and set ->

firewall_backend = “iptables”

After restart, the rules now still available!

Greetings
Klaus.

Offline

#7 2024-06-08 08:08:13

AaAaAAaaAAaARCH
Member
Registered: 2024-02-29
Posts: 42

Re: [SOLVED] - libvirtd missing iptables rules since networkmanager update

To go back to the old scenario you can configure libvirt to use iptables, as I see you already did. To fix the new scenario, since I was already typing it and you created a bug-report:

Now that libvirt is using nftables and your own rules use iptables-nft, there are two seperate chains that hook the FORWARD path on the FILTER priority. 

table ip libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		....
	}
....

and

# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
...
	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		counter packets 0 bytes 0 xt target "LOG"
	}
....

The rules in the chains are executed seperately in the new scenario. The first chain wil return ACCEPT, but the second chain always returns DROP/REJECT. Since all hooked chains will always be executed for every packet, the second chain just drops every packet.

To fix that you need to change the decision for the second chain (ip filter).

iptables -A FORWARD -i virbr0 -j ACCEPT
iptables -A FORWARD -o virbr0 -j ACCEPT

Keep those rules simple, because we can rely on the more advanced rules created by libvirt in its own hooked chain (WHEN IT IS CONFIGURED TO USE NFTABLES).

you can see the packet counters of the reject decisions with 

sudo nft list counters

Last edited by AaAaAAaaAAaARCH (2024-06-08 08:20:13)

Offline

#8 2024-06-11 20:04:10

ITALIEN
Member
Registered: 2023-09-28
Posts: 6

Re: [SOLVED] - libvirtd missing iptables rules since networkmanager update

tachtler wrote:

Hi,

I've opened a BUG-Report -> https://gitlab.com/libvirt/libvirt/-/issues/645

My solution was to change 

/etc/libvirt/network.conf

and set ->

firewall_backend = “iptables”

After restart, the rules now still available!

Greetings
Klaus.


This was the solution. Thanks!

Offline

#9 2024-06-12 12:32:52

tachtler
Member
Registered: 2020-08-23
Posts: 25

Re: [SOLVED] - libvirtd missing iptables rules since networkmanager update

From the BUG-Report: https://gitlab.com/libvirt/libvirt/-/issues/645


Laine Stump
@lainestump · vor 19 Stunden
Developer

The behavior as you've described is correct. Having iptables-legacy installed does not mean that you don't have nftables installed, it just means that:

    when an iptables command is issued, communication between the iptables application and the kernel is accomplished via the iptables API rather than the nftables API, and

    when you run "nft list ruleset" you will not see the rules that were added with iptabls commands; you will only see those rules when you run iptables -S/-I (when iptables-nft is in use, you see the iptables rules in both places)

The difference between iptables-nft and iptables-legacy is all explained here:

https://developers.redhat.com/blog/2020 … -nftables#

When libvirt checks for the availability of nftables, it is just checking if the "nft" user command is available somewhere in $PATH. So if the auto-config is set to prefer nftables and you want libvirt to use iptables, you must either set it in /etc/libvirt/network.conf, or you must uninstall the userland package that provides /usr/sbin/nftables, which in the case of Fedora is the package "nftables" (and I would assume it's the same on Arch). Removing that package wont remove nftables functionality from the kernel (which is good, because anyway iptables uses that!), but it does get rid of /usr/sbin/nft, and once that is done, libvirt will correctly determine that the nftables backend is non-viable, and will select the iptables backend instead.

Because the reported bahavior is correct, I'm closing this issue.

Offline

Pages: 1

Board footer

Powered by FluxBB