Re: KVM + libvirt + nftables without iptables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote:
> Hi everyone,
> 
> I use Debian 9.5 Stretch and NFTABLES as a firewall.
> Using NFTABLES  together with IPTABLES is not recommended,
> but libvirt depends on IPTABLES.
> 
> Is it safe to run libvirt + kvm + virsh without IPTABLES?
>
> By the doc https://libvirt.org/firewall.html,
> IPTABLES are used for settingup filtering which I do not need.

Currently it is *NOT* ok.

With this dual setup, even if traffic is allowed by libvirt's
iptables rules, firewalld's nftables rules are likely to block
the traffic.

IOW, a packet must succeed with both nftables & iptables, and
ther's no way for iptables alone to guarantee acceptance.

This is known to break libvirt

We're exploring how to fix this in libvirt in combination with
firewalld's nftables backend, since it also affects Fedora.

If not using firewalld, but are using nftables directly, then
it is even harder for libvirt and in fact I'm not sure if it
is fixable at all in general.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users



[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux