[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] disable libvirt-nwfilter



[Please keep the list CC-ed as it may help somebody from future when searching for solution to the same problem]
On 5/6/19 6:08 PM, nakata geekpit org wrote:
Am 2019-05-06 16:26, schrieb Michal Privoznik:
On 5/6/19 3:44 PM, nakata geekpit org wrote:
Hi,

i want to disable the nwfilter functionality of libvirt.
It's surely nice for some people, nevertheless i don't want libvirt to alter any netfilter rules, neither i want the according functionality even available.

It's not only NWFilter that will inject firewall rules. Depending on
configuration it might also be the default network.

I know about nwfilter-undefine, but what i'm looking for is an option to globally disable this functionality at all. Some config flag or similar.
How can i achieve that?

Unless you have a domain <interface/> defined so that it uses a
nwfilter then no firwall rules are added by nwfilter code.

If you still want to remove nwfilter module then just uninstall it, e.g. via:

dnf remove libvirt-daemon-driver-nwfilter libvirt-daemon-config-nwfilter

Michal

Hi,

me again.
Another question libvirt is adding chains. Where do i disable these:

chains are LIBVIRT-{FWO,FWX,FWI, INP, OUT}

These are absolutely and explicit unwanted.
Adding new rich features for folks is a fine thing, but i need an opt out.
Please, how do i get rid of it?

As I've said, there are two sources which cause libvirt to insert FW rules. By uninstalling nwfilter module you've eliminated one. But since you're still able to run the domain this step was useless because your domain doesn't have nwfilter configured for any of its <interface/>-s and thus nwfilter module did nothing but sit there.

The other module that is inserting FW rules is network module.
Currently, when libvirtd is starting it reads all the configs of defined networks. If a NATed network is found then it creates those LIBVIRT-* chains and when the network is started then all the rules will be placed into those chains to not contaminate config set by sysadmin. There is patch to postpone creating the chains unitl network actually is starting:

https://www.redhat.com/archives/libvir-list/2019-April/msg01547.html

So your options here are:

a) undefine all NATed networks (typically there's 'default' network)
b) uninstall network module (but this will render all domains using <interface type='network'/> unable to start).

As an extension to a) you can have a network with <forward mode='open'/> which preserves all the advantages of having a libvirt network but does not install any FW rules.

Of course, any comments to aforementioned patch are welcome too.

Michal


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]