No network, solved by adding iptables rule, why didn't virt-manager do this automatically?

I wasn’t able to get any network to work in vms.

I was able to resolve the problem by manually adding a rule in iptables.

Prior to adding this rule, there was no mention of my virtbr

Rule that I added:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     ---- Removed to improve readability -----  
2 ---
15   11042 1152K ACCEPT     all  --  virbr1 wlo1    0.0.0.0/0            0.0.0.0/0           
16   19796   62M ACCEPT     all  --  wlo1   virbr1  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

I am confused as to why this was necessary.

Never had to do this in past installations.

I’m also confused to why I am using iptables and nftables. It’s my understanding that firewalld uses nftables.

To correct this problem, which is virt-manager networking not automatically changing the firewall rules when creating/modifiying a network. Would I just need to update /etc/libvirt/network.conf?

Current setting:

txtechnician-hp-suse:~ # cd /etc/
txtechnician-hp-suse:/etc # cd libvirt/
txtechnician-hp-suse:/etc/libvirt # ls
hooks               libxl             nwfilter         secrets         virtnetworkd.conf   virtqemud.conf
libvirt-admin.conf  libxl-lockd.conf  qemu             storage         virtnodedevd.conf   virtsecretd.conf
libvirt.conf        libxl.conf        qemu-lockd.conf  virtlockd.conf  virtnwfilterd.conf  virtstoraged.conf
libvirtd.conf       network.conf      qemu.conf        virtlogd.conf   virtproxyd.conf     virtxend.conf
txtechnician-hp-suse:/etc/libvirt # cat network.conf 
# Master configuration file for the network driver.
# All settings described here are optional - if omitted, sensible
# defaults are used.

# firewall_backend:
#
#   determines which subsystem to use to setup firewall packet
#   filtering rules for virtual networks.
#
#   Supported settings:
#
#     iptables - use iptables commands to construct the firewall
#     nftables - use nft commands to construct the firewall
#
#   If firewall_backend isn't configured, libvirt will choose the
#   first available backend from the following list:
#
#     [nftables, iptables]
#
#   If no backend is available on the host, then the network driver
#   will fail to start, and an error will be logged.
#
#   (NB: switching from one backend to another while there are active
#   virtual networks *is* supported. The change will take place the
#   next time that libvirtd/virtnetworkd is restarted - all existing
#   virtual networks will have their old firewalls removed, and then
#   reloaded using the new backend.)
#
#firewall_backend = "nftables"
txtechnician-hp-suse:/etc/libvirt # 

It looks like libvirt defaulted to using nftables as per the note in this config and the rules I found in nftables.

(I know that these rules were added automatically because I created two virt networks. virtbr0 and 1. In iptables none of the virt networks were mentioned. And I manually added rules for virtbr1. While in nftables bother virtbr0 & 1 are listed)

Nftable rules:

table ip libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		counter packets 50729 bytes 64098915 jump guest_cross
		counter packets 50729 bytes 64098915 jump guest_input
		counter packets 30942 bytes 2461624 jump guest_output
	}

	chain guest_output {
		ip saddr 192.168.100.0/24 iif "virbr1" counter packets 1161 bytes 206354 accept
		iif "virbr1" counter packets 0 bytes 0 reject
		ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept
		iif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_input {
		oif "virbr1" ip daddr 192.168.100.0/24 ct state established,related counter packets 1382 bytes 2886809 accept
		oif "virbr1" counter packets 0 bytes 0 reject
		oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
		oif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_cross {
		iif "virbr1" oif "virbr1" counter packets 0 bytes 0 accept
		iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
	}

	chain guest_nat {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.168.100.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		ip saddr 192.168.100.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 45 bytes 2700 masquerade to :1024-65535
		meta l4proto udp ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 21 bytes 14840 masquerade to :1024-65535
		ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 0 bytes 0 masquerade
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
	}
}

I’m also confused as to why I have both iptables and nftables.

Are both of these supposed to be enabled?

@TxTechnician Is ipv4 forwarding set on the interface? Are you using NAT or a specific bridge device? I only use bridges on my vm’s…

Nat. Although I would like to use a bridge connection instead.

As far as IP forwarding. Is that no what the rule in ipta les is doing?

You told long story about kernel netfilter rules, but never explained your libvirt network configuration.

Really?

chain guest_nat {

does exactly that - it configures NAT for both your libvirt networks.

You started with telling us about libvirt and suddenly you also have firewalld. Which can block traffic you want to allow. In particular, firewalld most certainly blocks forwarding between different zones by default.

You always need to provide the whole picture.

I’m trying to conceptualize the “whole picture”.

Virtualization using KVM, understanding how virtlibd interacts with the system. That is what I am trying to understand.

As I understand it, the command chain is:

  • User creates virtual network in virt-manager
  • libvirt tells issues commands through its libraries to create necessary firewall rules and routing

In my case, networking would not work undil I manually added the rules to iptables

No. libvirt creates either iptables or nftables rules. You may also have other applications, some of them are customarily called “firewall”, that also create iptables or netfilter rules. libvirt has no way to know it.

To my best knowledge libvirt does not create any “routing” (assuming, I correctly understand what you mean, this sentence looks incomplete).

Stop your another firewall application that blocks forwarding and everything will work.

1 Like

I stay corrected, libvirt enables forwarding via sysctl.

That is how Linux kernel netfilter works. libvirt does create rules allowing forwarding:

	chain guest_output {
		ip saddr 192.168.100.0/24 iif "virbr1" counter packets 1161 bytes 206354 accept
		iif "virbr1" counter packets 0 bytes 0 reject
		ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept
		iif "virbr0" counter packets 0 bytes 0 reject
	}

but if there are other rules explicitly blocking forwarding, the final verdict will be block (or reject, or drop - whatever). So, again - you need to show the whole picture. All rules from both iptables and nftables.

Of course, another simple reason could be that you are using different IP than configured in libvirt in your VM …

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.