trying to understand how libvirt uses firewalld
Felix Schwarz
felix.schwarz at oss.schwarz.eu
Fri Apr 30 11:30:33 UTC 2021
Hi,
I recently installed a test box using CentOS 8 and installed a CentOS 8 guest
via libvirt (KVM).
I need to use "routed" forwarding as the datacenter only gives me individual IPs
which are routed to the physical interface and the switch only accepts packets
with a well-known MAC address.
On the host I enabled firewalld and moved the guest to a specific firewalld
zone. I verified that libvirt is detecting firewalld.
My idea was that I could use this to create somewhat fine-grained filters on the
host for traffic from the internet to the guest (and possibly vice-versa).
However it seems like that does not work the way I wanted:
It seems as if nothing changes when I allow/disallow SSH for that zone. I can
still ssh from the internet to the guest.
After several reads on the documentation I have a guess of what might be going
on but I'd like to confirm that:
https://libvirt.org/firewall.html#fw-firewalld-and-virtual-network-driver
> If firewalld is active on the host, libvirt will attempt to place the bridge
> interface of a libvirt virtual network into the firewalld zone named
> "libvirt" (thus making all guest->host traffic on that network subject to
> the rules of the "libvirt" zone).
Does that mean libvirt's firewalld usage is ONLY for traffic guest->host and
does not affect all other traffic (e.g. host->guest, guest<->internet)?
That sounds incredibly narrow (and not very useful for me) but it would explain
why I don't see any effects in my experiment...
---
In a related note it would be nice if there was a way to make routed setups with
individual IPs easier. This problem hunts me for more than 10 years (I think I
posted something in 2009 - still the same problem basically) and it would be
nice if libvirt could somehow support this use case better:
I want to allow traffic guest <-> internet in a routed setup. libvirt generates
iptables rules like these:
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br-private * 10.11.0.0/24
0.0.0.0/0
0 0 REJECT all -- br-private * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- br-public * (NETWORK IP )
0.0.0.0/0
43 3232 REJECT all -- br-public * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
I my case "NETWORK IP" is a /32 IPv4 and AFAIK I have to put the host's IPv4
here (which is basically the router) so I can assign the guest IP inside the VM.
What I need is basically a rule like ACCEPT one above but with the GUEST IP. I
have some elaborate Python script which I can use as a "network" hook but that
requires parsing output of "iptables" due to libvirt's events (e.g. libvirtd
restart triggers one "plugged" event per VM).
Thank you very much,
Felix
More information about the libvirt-users
mailing list