I wasn’t able to get any network to work in vms.
I was able to resolve the problem by manually adding a rule in iptables.
Prior to adding this rule, there was no mention of my virtbr
Rule that I added:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 ---- Removed to improve readability -----
2 ---
15 11042 1152K ACCEPT all -- virbr1 wlo1 0.0.0.0/0 0.0.0.0/0
16 19796 62M ACCEPT all -- wlo1 virbr1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
I am confused as to why this was necessary.
Never had to do this in past installations.
I’m also confused to why I am using iptables and nftables. It’s my understanding that firewalld uses nftables.
To correct this problem, which is virt-manager networking not automatically changing the firewall rules when creating/modifiying a network. Would I just need to update /etc/libvirt/network.conf
?
Current setting:
txtechnician-hp-suse:~ # cd /etc/
txtechnician-hp-suse:/etc # cd libvirt/
txtechnician-hp-suse:/etc/libvirt # ls
hooks libxl nwfilter secrets virtnetworkd.conf virtqemud.conf
libvirt-admin.conf libxl-lockd.conf qemu storage virtnodedevd.conf virtsecretd.conf
libvirt.conf libxl.conf qemu-lockd.conf virtlockd.conf virtnwfilterd.conf virtstoraged.conf
libvirtd.conf network.conf qemu.conf virtlogd.conf virtproxyd.conf virtxend.conf
txtechnician-hp-suse:/etc/libvirt # cat network.conf
# Master configuration file for the network driver.
# All settings described here are optional - if omitted, sensible
# defaults are used.
# firewall_backend:
#
# determines which subsystem to use to setup firewall packet
# filtering rules for virtual networks.
#
# Supported settings:
#
# iptables - use iptables commands to construct the firewall
# nftables - use nft commands to construct the firewall
#
# If firewall_backend isn't configured, libvirt will choose the
# first available backend from the following list:
#
# [nftables, iptables]
#
# If no backend is available on the host, then the network driver
# will fail to start, and an error will be logged.
#
# (NB: switching from one backend to another while there are active
# virtual networks *is* supported. The change will take place the
# next time that libvirtd/virtnetworkd is restarted - all existing
# virtual networks will have their old firewalls removed, and then
# reloaded using the new backend.)
#
#firewall_backend = "nftables"
txtechnician-hp-suse:/etc/libvirt #
It looks like libvirt defaulted to using nftables as per the note in this config and the rules I found in nftables.
(I know that these rules were added automatically because I created two virt networks. virtbr0 and 1. In iptables none of the virt networks were mentioned. And I manually added rules for virtbr1. While in nftables bother virtbr0 & 1 are listed)
Nftable rules:
table ip libvirt_network {
chain forward {
type filter hook forward priority filter; policy accept;
counter packets 50729 bytes 64098915 jump guest_cross
counter packets 50729 bytes 64098915 jump guest_input
counter packets 30942 bytes 2461624 jump guest_output
}
chain guest_output {
ip saddr 192.168.100.0/24 iif "virbr1" counter packets 1161 bytes 206354 accept
iif "virbr1" counter packets 0 bytes 0 reject
ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept
iif "virbr0" counter packets 0 bytes 0 reject
}
chain guest_input {
oif "virbr1" ip daddr 192.168.100.0/24 ct state established,related counter packets 1382 bytes 2886809 accept
oif "virbr1" counter packets 0 bytes 0 reject
oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
oif "virbr0" counter packets 0 bytes 0 reject
}
chain guest_cross {
iif "virbr1" oif "virbr1" counter packets 0 bytes 0 accept
iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
}
chain guest_nat {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.100.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
ip saddr 192.168.100.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
meta l4proto tcp ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 45 bytes 2700 masquerade to :1024-65535
meta l4proto udp ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 21 bytes 14840 masquerade to :1024-65535
ip saddr 192.168.100.0/24 ip daddr != 192.168.100.0/24 counter packets 0 bytes 0 masquerade
ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
}
}
I’m also confused as to why I have both iptables and nftables.
Are both of these supposed to be enabled?