trying to understand how libvirt uses firewalld

Felix Schwarz felix.schwarz at oss.schwarz.eu
Fri Apr 30 11:30:33 UTC 2021 

Hi,

I recently installed a test box using CentOS 8 and installed a CentOS 8 guest
via libvirt (KVM).
I need to use "routed" forwarding as the datacenter only gives me individual IPs
which are routed to the physical interface and the switch only accepts packets
with a well-known MAC address.

On the host I enabled firewalld and moved the guest to a specific firewalld 
zone. I verified that libvirt is detecting firewalld.

My idea was that I could use this to create somewhat fine-grained filters on the
host for traffic from the internet to the guest (and possibly vice-versa).

However it seems like that does not work the way I wanted:
It seems as if nothing changes when I allow/disallow SSH for that zone. I can
still ssh from the internet to the guest.

After several reads on the documentation I have a guess of what might be going
on but I'd like to confirm that:
https://libvirt.org/firewall.html#fw-firewalld-and-virtual-network-driver

> If firewalld is active on the host, libvirt will attempt to place the bridge
>  interface of a libvirt virtual network into the firewalld zone named 
> "libvirt" (thus making all guest->host traffic on that network subject to
> the rules of the "libvirt" zone).
Does that mean libvirt's firewalld usage is ONLY for traffic guest->host and 
does not affect all other traffic (e.g. host->guest, guest<->internet)?
That sounds incredibly narrow (and not very useful for me) but it would explain 
why I don't see any effects in my experiment...


---
In a related note it would be nice if there was a way to make routed setups with 
individual IPs easier. This problem hunts me for more than 10 years (I think I 
posted something in 2009 - still the same problem basically) and it would be 
nice if libvirt could somehow support this use case better:

I want to allow traffic guest <-> internet in a routed setup. libvirt generates 
iptables rules like these:

Chain LIBVIRT_FWO (1 references)

  pkts bytes target     prot opt in     out     source               destination 

     0     0 ACCEPT     all  --  br-private *       10.11.0.0/24 
0.0.0.0/0
     0     0 REJECT     all  --  br-private *       0.0.0.0/0 
0.0.0.0/0            reject-with icmp-port-unreachable
     0     0 ACCEPT     all  --  br-public *       (NETWORK IP ) 
0.0.0.0/0
    43  3232 REJECT     all  --  br-public *       0.0.0.0/0 
0.0.0.0/0            reject-with icmp-port-unreachable

I my case "NETWORK IP" is a /32 IPv4 and AFAIK I have to put the host's IPv4 
here (which is basically the router) so I can assign the guest IP inside the VM.
What I need is basically a rule like ACCEPT one above but with the GUEST IP. I 
have some elaborate Python script which I can use as a "network" hook but that 
requires parsing output of "iptables" due to libvirt's events (e.g. libvirtd 
restart triggers one "plugged" event per VM).

Thank you very much,
Felix

More information about the libvirt-users mailing list