Package: libvirt-daemon Version: 5.0.0-4+deb10u1 Severity: normal Tags: upstream
Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? I have set up a bridge manually: cat /etc/network/interfaces --- snip --- auto dmz iface dmz inet static # Reserved KVM MAC addresses: 52:54:00:xx:xx:xx (Nb. a8=168, 1b=27) hwaddress ether 52:54:00:00:00:01 address 192.168.0.1/24 bridge_ports none bridge_stp off bridge_fd 0 bridge_maxwait 0 I have also disabled the default network used by kvm as follows: virsh net-destroy default virsh net-undefine default I have configured my own firewall using nftables: cat /etc/nftables.conf flush ruleset define lan_if = "eth0" table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 0; policy accept; oif $lan_if masquerade } } table inet filter { chain input { type filter hook input priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy accept; } } I have installed several kvm virtual machines running debian. Everything works well, except: Every time I reboot, libvirtd futzes with my firewall. libvirtd calls iptables, ip6tables and ebtables and creates the following additional tables and chains: table ip filter { chain INPUT { type filter hook input priority 0; policy accept; } chain FORWARD { type filter hook forward priority 0; policy accept; } chain OUTPUT { type filter hook output priority 0; policy accept; } } table ip6 filter { chain INPUT { type filter hook input priority 0; policy accept; } chain FORWARD { type filter hook forward priority 0; policy accept; } chain OUTPUT { type filter hook output priority 0; policy accept; } } table bridge filter { chain INPUT { type filter hook input priority -200; policy accept; } chain FORWARD { type filter hook forward priority -200; policy accept; } chain OUTPUT { type filter hook output priority -200; policy accept; } } I don't want these added and I can't seem to get systemd to rerun my nftables script after libvirtd does its thing. * What exactly did you do (or not do) that was effective (or ineffective)? I have tried setting up a systemd service as follows: cat /etc/systemd/system/firewall [Unit] Description=firewall Requires=network-online.target libvirtd.service After=network-online.target libvirtd.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/sbin/nft -f /etc/nftables.conf ExecReload=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush ruleset [Install] WantedBy=multi-user.target I was hoping this would run after libvirtd and override what it did. But this didn't work. It seems that libvirtd takes time to complete and the iptables calls come after my firewall.system service fires even though I added the Requires= and After= lines. I moved the file /usr/sbin/xtables-nft-multi to /usr/sbin/xtables-nft-multi- saved and this did work because then libvirtd was unable to do its calls to (eb|ip|ip6)tables but this is not really a solution because if the package is updated some time in the future the binary executable could be re-installed without me recognising. * What was the outcome of this action? Frustration. * What outcome did you expect instead? I expect there should be some way to tell libvirtd to not make any calls to iptables. Leave my firewall alone! I will configure my firewall how I want it to be. *** End of the template - remove these template lines *** -- System Information: Debian Release: 10.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libvirt-daemon depends on: ii libacl1 2.2.53-4 ii libapparmor1 2.13.2-10 ii libaudit1 1:2.8.4-3 ii libavahi-client3 0.7-4+b1 ii libavahi-common3 0.7-4+b1 ii libblkid1 2.33.1-0.1 ii libc6 2.28-10 ii libcap-ng0 0.7.9-2 ii libcurl3-gnutls 7.64.0-4+deb10u1 ii libdbus-1-3 1.12.16-1 ii libdevmapper1.02.1 2:1.02.155-3 ii libfuse2 2.9.9-1 ii libgcc1 1:8.3.0-6 ii libgnutls30 3.6.7-4+deb10u3 pn libnetcf1 <none> ii libnl-3-200 3.4.0-1 ii libnl-route-3-200 3.4.0-1 ii libnuma1 2.0.12-1 ii libparted2 3.2-25 ii libpcap0.8 1.8.1-6 ii libpciaccess0 0.14-1 ii libsasl2-2 2.1.27+dfsg-1+deb10u1 ii libselinux1 2.8-1+b1 ii libssh2-1 1.8.0-2.1 ii libudev1 241-7~deb10u3 pn libvirt0 <none> pn libxenmisc4.11 <none> pn libxenstore3.0 <none> pn libxentoollog1 <none> ii libxml2 2.9.4+dfsg1-7+b3 ii libyajl2 2.1.0-3 Versions of packages libvirt-daemon recommends: ii libxml2-utils 2.9.4+dfsg1-7+b3 pn netcat-openbsd <none> pn qemu-kvm | qemu <none> Versions of packages libvirt-daemon suggests: pn libvirt-daemon-driver-storage-gluster <none> pn libvirt-daemon-driver-storage-rbd <none> pn libvirt-daemon-driver-storage-zfs <none> pn libvirt-daemon-system <none> pn numad <none>