You are not logged in.
My windows guest with libvirt/virt-manager doesn't get internet access. After browsing other threads and the wiki I believe my issue is with firewall backend. I tried changing
firewall_backend to "iptables" in /etc/libvirt/network.conf however that didn't resolve the issue.
Here is my default network
<network>
<name>default</name>
<uuid>ca20a639-1dad-4ced-b8c1-4de6db5283c3</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:4f:e3:48'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
<ip family='ipv6' address='2001:db8:ca2:2::1' prefix='64'>
</ip>
</network>
The guest is using NIC with virtio over default (I have installed virtio drivers).
All my poking around seems to suggest something might be wrong with my firewall / ufw but I am practically illiterate when it comes to network.
Last edited by croxymoc (2024-07-23 20:55:52)
Offline
I followed this thread and I 90% sure my issue is with network manager somehow. however I do not have systemd-networkd enabled as of now so there must be some remenant from when I did which is screwing things up
Offline
journalctl on libvirt
Jul 20 13:35:06 Framework systemd[1]: Starting libvirt legacy monolithic daemon...
Jul 20 13:35:06 Framework libvirtd[48436]: setlocale: No such file or directory
Jul 20 13:35:06 Framework systemd[1]: Started libvirt legacy monolithic daemon.
Jul 20 13:35:06 Framework dnsmasq[48547]: started, version 2.90 cachesize 150
Jul 20 13:35:06 Framework dnsmasq[48547]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash >
Jul 20 13:35:06 Framework dnsmasq-dhcp[48547]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Jul 20 13:35:06 Framework dnsmasq-dhcp[48547]: router advertisement on 2001:db8:ca2:2::
Jul 20 13:35:06 Framework dnsmasq-dhcp[48547]: DHCP, sockets bound exclusively to interface virbr0
Jul 20 13:35:06 Framework dnsmasq[48547]: reading /etc/resolv.conf
Jul 20 13:35:06 Framework dnsmasq[48547]: using nameserver 127.0.0.53#53
Jul 20 13:35:06 Framework dnsmasq[48547]: read /etc/hosts - 2 names
Jul 20 13:35:06 Framework dnsmasq[48547]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names
Jul 20 13:35:06 Framework dnsmasq-dhcp[48547]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Jul 20 13:35:37 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:35:43 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:35:57 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:36:10 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:45:21 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Jul 20 13:54:27 Framework dnsmasq-dhcp[48547]: RTR-ADVERT(virbr0) 2001:db8:ca2:2::
Offline
Okay so If I flush my nft ruleset at after each host startup before starting the guest I get internet. I thought firewalld had it's zone for libvirt so it'll allow guest to host but for some reason it doesn't. I really don't understand what I am doing and would love if someone actually pointed me to a resource on how to configure the libvirt policy/zone so I don't have to flush nft everytime.
Offline
systemctl status nftables.service
Online
nft.service is inactive now (as I think it should be)
I also seemed to have fixed it permanently by
> # systemctl stop firewalld
> # nft flush ruleset
> # systemctl start firewalld
> # firewall-cmd --complete-reload
> # firewall-cmd --set-default-zone=public
> # firewall-cmd --runtime-to-permanent
leaving this here jic someone else has a similar issue.
EDIT:
nvm it still doesnt work after reboot, but I already marked it as solved and it kinda is so I'll let it sit.
Last edited by croxymoc (2024-07-23 19:13:34)
Offline
Thanks, this solved my problem too. Last week multiple guests that I've been using for years (windows & linux) had network issues after a system update, along with all docker containers. It seems like some combination of NetworkManager/firewall settings that used to work fine are now breaking my network bridges.
Offline
nvm it still doesnt work after reboot, but I already marked it as solved and it kinda is so I'll let it sit.
So no, it's not.
What nft.service?
Please post the output of
find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
If you then also disable firewalld, do you get acess to the port/http service?
Online
auto-cpufreq.service | multi-user.target.wants
bluetooth.service | bluetooth.target.wants
dbus-org.bluez.service | system
dbus-org.fedoraproject.FirewallD1.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service | system
dbus-org.freedesktop.timesync1.service | system
display-manager.service | system
docker.socket | sockets.target.wants
firewalld.service | multi-user.target.wants
gcr-ssh-agent.socket | sockets.target.wants
getty@tty1.service | getty.target.wants
iwd.service | multi-user.target.wants
libvirtd-admin.socket | sockets.target.wants
libvirtd-ro.socket | sockets.target.wants
libvirtd.service | multi-user.target.wants
libvirtd.socket | sockets.target.wants
NetworkManager.service | multi-user.target.wants
NetworkManager-wait-online.service | network-online.target.wants
nftables.service | multi-user.target.wants
p11-kit-server.socket | sockets.target.wants
pipewire-pulse.socket | sockets.target.wants
pipewire-session-manager.service | user
pipewire.socket | sockets.target.wants
reflector.service | multi-user.target.wants
remote-fs.target | multi-user.target.wants
systemd-resolved.service | sysinit.target.wants
systemd-timesyncd.service | sysinit.target.wants
virtlockd-admin.socket | sockets.target.wants
virtlockd.socket | sockets.target.wants
virtlogd-admin.socket | sockets.target.wants
virtlogd.service | multi-user.target.wants
virtlogd.socket | sockets.target.wants
wireplumber.service | pipewire.service.wants
xdg-user-dirs-update.service | default.target.wants
The way I have been "fixing" it has been just flushing the ruleset and then starting nftables.service again,
Here is nftables.service output too, but from what I understand it is supposed to be inactive.
○ nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset:>
Active: inactive (dead) since Wed 2024-07-24 02:18:52 IST; 10s ago
Invocation: 7e89e555ac184b6583d662ed8d7c25e3
Docs: man:nft(8)
Process: 7099 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, st>
Main PID: 7099 (code=exited, status=0/SUCCESS)
Jul 24 02:18:52 Framework systemd[1]: Starting Netfilter Tables...
Jul 24 02:18:52 Framework systemd[1]: nftables.service: Deactivated successfull>
Jul 24 02:18:52 Framework systemd[1]: Finished Netfilter Tables.
Offline
nftables.service | multi-user.target.wants
Disable that, it's not required to run firewalld or anything else but will only load some very restrictive default rules, https://wiki.archlinux.org/title/Nftabl … e_firewall
You got rid of them w/ nft flush ruleset, then rebuild firewalld as desired but after the reboot /etc/nftables.conf got applied again.
Edit: it's "inactive" because it just loads that file and then quits.
netfilter happens in the kernel, everything else just loads and deleted rules.
Last edited by seth (2024-07-23 20:54:58)
Online
Thanks, now I can mark as solve for real for real!
Offline
Yep, that fixed the problem across reboots for me as well.
Offline