libvirt users - Oct 2018 - Re: KVM + libvirt + nftables without iptables?

Hi everyone,

I use Debian 9.5 Stretch and NFTABLES as a firewall.
Using NFTABLES  together with IPTABLES is not recommended,
but libvirt depends on IPTABLES.

Is it safe to run libvirt + kvm + virsh without IPTABLES?

By the doc https://libvirt.org/firewall.html,
IPTABLES are used for settingup filtering which I do not need.

Thanks,

Roman

On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely
wrote:
> Hi everyone,
> 
> I use Debian 9.5 Stretch and NFTABLES as a firewall.
> Using NFTABLES  together with IPTABLES is not recommended,
> but libvirt depends on IPTABLES.
> 
> Is it safe to run libvirt + kvm + virsh without IPTABLES?
>
> By the doc https://libvirt.org/firewall.html,
> IPTABLES are used for settingup filtering which I do not need.
Currently it is *NOT* ok.

With this dual setup, even if traffic is allowed by libvirt's
iptables rules, firewalld's nftables rules are likely to block
the traffic.

IOW, a packet must succeed with both nftables & iptables, and
ther's no way for iptables alone to guarantee acceptance.

This is known to break libvirt

We're exploring how to fix this in libvirt in combination with
firewalld's nftables backend, since it also affects Fedora.

If not using firewalld, but are using nftables directly, then
it is even harder for libvirt and in fact I'm not sure if it
is fixable at all in general.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On 10/18/2018 10:14 AM, Daniel P. Berrangé wrote:
> On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote:
>> Hi everyone,
>>
>> I use Debian 9.5 Stretch and NFTABLES as a firewall.
>> Using NFTABLES  together with IPTABLES is not recommended,
>> but libvirt depends on IPTABLES.
>>
>> Is it safe to run libvirt + kvm + virsh without IPTABLES?
>>
>> By the doc https://libvirt.org/firewall.html,
>> IPTABLES are used for settingup filtering which I do not need.
> 
> Currently it is *NOT* ok.
Pardon me if I misread the question but I think Roman is actually asking
if he turns off iptables in libvirt. Well, that would work but all the
forwarding rules, rules that prevent one domain to see traffic of the
other, etc - you would have to do them yourself. Or trust your guests.

But Dan is right - if iptables are enabled in libvirt such setup will
break terribly.

Michal