[Please keep the list CC-ed as it may help somebody from future when
searching for solution to the same problem]
On 5/6/19 6:08 PM, nakata@geekpit.org wrote:> Am 2019-05-06 16:26, schrieb Michal Privoznik:
>> On 5/6/19 3:44 PM, nakata@geekpit.org wrote:
>>> Hi,
>>>
>>> i want to disable the nwfilter functionality of libvirt.
>>> It's surely nice for some people, nevertheless i don't want
libvirt
>>> to alter any netfilter rules, neither i want the according
>>> functionality even available.
>>
>> It's not only NWFilter that will inject firewall rules. Depending
on
>> configuration it might also be the default network.
>>
>>> I know about nwfilter-undefine, but what i'm looking for is an
option
>>> to globally disable this functionality at all. Some config flag or
>>> similar.
>>> How can i achieve that?
>>
>> Unless you have a domain <interface/> defined so that it uses a
>> nwfilter then no firwall rules are added by nwfilter code.
>>
>> If you still want to remove nwfilter module then just uninstall it,
>> e.g. via:
>>
>> dnf remove libvirt-daemon-driver-nwfilter
libvirt-daemon-config-nwfilter
>>
>> Michal
>
> Hi,
>
> me again.
> Another question libvirt is adding chains. Where do i disable these:
>
> chains are LIBVIRT-{FWO,FWX,FWI, INP, OUT}
>
> These are absolutely and explicit unwanted.
> Adding new rich features for folks is a fine thing, but i need an opt out.
> Please, how do i get rid of it?
As I've said, there are two sources which cause libvirt to insert FW
rules. By uninstalling nwfilter module you've eliminated one. But since
you're still able to run the domain this step was useless because your
domain doesn't have nwfilter configured for any of its <interface/>-s
and thus nwfilter module did nothing but sit there.
The other module that is inserting FW rules is network module.
Currently, when libvirtd is starting it reads all the configs of defined
networks. If a NATed network is found then it creates those LIBVIRT-*
chains and when the network is started then all the rules will be placed
into those chains to not contaminate config set by sysadmin.
There is patch to postpone creating the chains unitl network actually is
starting:
https://www.redhat.com/archives/libvir-list/2019-April/msg01547.html
So your options here are:
a) undefine all NATed networks (typically there's 'default' network)
b) uninstall network module (but this will render all domains using
<interface type='network'/> unable to start).
As an extension to a) you can have a network with <forward
mode='open'/>
which preserves all the advantages of having a libvirt network but does
not install any FW rules.
Of course, any comments to aforementioned patch are welcome too.
Michal