Public bug reported: After "auto security updates" updated my libvirt I have noticed that forward mode open is adding LIBVIRT rules to my iptables for the default network. This was supposed to happen with forward mode nat, but not with forward mode open.
apt-cache policy libvirt-daemon: libvirt-daemon: Installed: 6.0.0-0ubuntu8.16 Candidate: 6.0.0-0ubuntu8.16 Version table: *** 6.0.0-0ubuntu8.16 500 500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 500 http://archive.ubuntu.com/ubuntu focal-security/main amd64 Packages 100 /var/lib/dpkg/status 6.0.0-0ubuntu8 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages lsb_release -rd: Description: Ubuntu 20.04.3 LTS Release: 20.04 VM network settings: virsh net-dumpxml --inactive default <network> <name>default</name> <uuid>17c58686-736c-49e4-8ae9-99a8d25f032c</uuid> <forward mode='open'/> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:f6:68:91'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254'/> </dhcp> </ip> </network> What I expect to happen: Because I have forward mode='open' I expect that when libvirtd gets restarted that it will NOT load its own rules into my firewall. This has been the case for me since mode open was added. What is happening: (staging) root@server:~$ iptables-save|grep -i virt (staging) root@server:~$ service libvirtd restart (staging) root@server:~$ iptables-save|grep -i virt :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE :LIBVIRT_FWI - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWX - [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT ** Affects: libvirt (Ubuntu) Importance: Undecided Status: New ** Tags: firewall libvirt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs