Hello, I'm not subscribed to this list, please keep me in the From: when replying, thanks! I've found a solution, I'm porting here hoping it could be useful to others. I've also change a little bit the subject to include the important missing information about libvirt guests. Giovanni Biscuolo <giovanni@xxxxxxxxxxxx> writes: [...] > I'm using libvirt to define and run a guest (IPv4 192.168.133.9) inside > my host OK now I've understand that: 1. libvirt (still?!?) uses iptables and not nftables to define firewall rules (see [1]) 2. iptables defined filters are _not_ visible via "nft" commands, at least not via 'nft list ruleset' I was using to look at rules. I was actually expecting a uniform interface to netfilter, but I see that even today we still have to manage netfilter via (at least?) two different interfaces. 3. when defining a network bridge with a forward "mode='nat'" parameter (the default) libvirt configures firewalling rules (via iptables) so that «inbound connections from other networks are all prohibited; all connections between guests on the same network, and to/from the host to the guests, are unrestricted and not NATed.» (see [2] The solution I've adopted is to (re)define the libvirt created network bridge (swws-bridge in my case) using forward "mode='open'", so that «no firewall rules will be added for the network» (see [2]) by libvirt and I can manage all firewall rules via nftables alone. Once reconfigured swws-bridge I was able to remotely connect to my DNATted (and forwarded) ports on my guest machine. Another solution could have been to configure some libvirt nwfilters via XML (see [3])... but no :-D [...] Happy hacking. [1] https://libvirt.org/firewall.html#firewalld-and-the-virtual-network-driver so libvirt can use firewalld backends but not nftables directly :-( [2] https://libvirt.org/formatnetwork.html#connectivity [3] https://libvirt.org/formatnwfilter.html -- Giovanni Biscuolo «Si può sperare Che il mondo torni a quote più normali».
Attachment:
signature.asc
Description: PGP signature