Hi,
I recently installed a test box using CentOS 8 and installed a CentOS 8 guest
via libvirt (KVM).
I need to use "routed" forwarding as the datacenter only gives me individual IPs
which are routed to the physical interface and the switch only accepts packets
with a well-known MAC address.
On the host I enabled firewalld and moved the guest to a specific firewalld
zone. I verified that libvirt is detecting firewalld.
My idea was that I could use this to create somewhat fine-grained filters on the
host for traffic from the internet to the guest (and possibly vice-versa).
However it seems like that does not work the way I wanted:
It seems as if nothing changes when I allow/disallow SSH for that zone. I can
still ssh from the internet to the guest.
After several reads on the documentation I have a guess of what might be going
on but I'd like to confirm that:
https://libvirt.org/firewall.html#fw-firewalld-and-virtual-network-driver
If firewalld is active on the host, libvirt will attempt to place the bridge
interface of a libvirt virtual network into the firewalld zone named
"libvirt" (thus making all guest->host traffic on that network subject to
the rules of the "libvirt" zone).
Does that mean libvirt's firewalld usage is ONLY for traffic guest->host and
does not affect all other traffic (e.g. host->guest, guest<->internet)?
That sounds incredibly narrow (and not very useful for me) but it would explain
why I don't see any effects in my experiment...
---
In a related note it would be nice if there was a way to make routed setups with
individual IPs easier. This problem hunts me for more than 10 years (I think I
posted something in 2009 - still the same problem basically) and it would be
nice if libvirt could somehow support this use case better:
I want to allow traffic guest <-> internet in a routed setup. libvirt generates
iptables rules like these:
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br-private * 10.11.0.0/24
0.0.0.0/0
0 0 REJECT all -- br-private * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- br-public * (NETWORK IP )
0.0.0.0/0
43 3232 REJECT all -- br-public * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
I my case "NETWORK IP" is a /32 IPv4 and AFAIK I have to put the host's IPv4
here (which is basically the router) so I can assign the guest IP inside the VM.
What I need is basically a rule like ACCEPT one above but with the GUEST IP. I
have some elaborate Python script which I can use as a "network" hook but that
requires parsing output of "iptables" due to libvirt's events (e.g. libvirtd
restart triggers one "plugged" event per VM).
Thank you very much,
Felix
