On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote: > Hi everyone, > > I use Debian 9.5 Stretch and NFTABLES as a firewall. > Using NFTABLES together with IPTABLES is not recommended, > but libvirt depends on IPTABLES. > > Is it safe to run libvirt + kvm + virsh without IPTABLES? > > By the doc https://libvirt.org/firewall.html, > IPTABLES are used for settingup filtering which I do not need. Currently it is *NOT* ok. With this dual setup, even if traffic is allowed by libvirt's iptables rules, firewalld's nftables rules are likely to block the traffic. IOW, a packet must succeed with both nftables & iptables, and ther's no way for iptables alone to guarantee acceptance. This is known to break libvirt We're exploring how to fix this in libvirt in combination with firewalld's nftables backend, since it also affects Fedora. If not using firewalld, but are using nftables directly, then it is even harder for libvirt and in fact I'm not sure if it is fixable at all in general. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
