0

I just switched from VirtualBox to Virt Manager with KVM and I am very happy with the switch (my initial motivation for it was to use the same virtualization for desktop VMs and server VMs by ditching both Virtualbox and vanilla Proxmox in favor of libvirt). That said, I don't really know what I am doing so I can use some help.

I run Debian VMs on a Debian host. I defined a simple bridge on the host (in /etc/network/interfaces) and put all my VMs on it. The host runs UFW default configuration. All is happy and well until I try to use nwfilters.

I defined a filter (virsh nwfilter-define) and added it to a VM 'my-vm1' (aka reffilter filter='my-vm1-filter' in the network device of my-vm1). The traffic of 'my-vm1' is filtered as expected, BUT other VMs annoyingly lose connectivity:

  • rebooting these other VMs does not help: looks like they cannot do DHCP
  • stopping my-vm1 does not help
  • rebooting the host and not starting my-vm1 is necessary to restore networking on other VMs
  • I tried to make sense of the change to the iptables -L after starting my-vm1 and it is confusing. But I do not know anything about iptables in the first place.

First question: is there a well known issue or step or limitation for using nwfilters that I miserably missed?

And if not, suggestions on what to try next? Happy to learn something new relevant to my problem.

Dave M
  • 4,514
  • 22
  • 31
  • 30
Jean
  • 1
  • 1

1 Answers1

0

In case someone lands here, here are some progress:

  • I realized that nft would give me a better picture than iptables which is referenced by old posts. From what i understood, libvirt uses nftables nowadays
  • It turns out that ufw does not play well with libvirt: if I disable it then my problem goes away and other VMs without any nwfilter work fine.
  • Read somewhere that firewalld may play better with libvirt but haven't tried it

EDIT: For noobs like me, firewalld is indeed working much better for my simple use case at least:

  • put the host bridge in the 'libvirt' zone
  • services, ports etc of that zone apply only to the host incoming traffic (not the VMs which can then rely on their own nwfilter)
  • the libvirt zone's target has to remain 'accept' (not drop nor reject): somewhat counterintuitively, the packets not covered by the services/ports are not accepted by the host but 'accept' is necessary for the VM traffic.
Jean
  • 1
  • 1