[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

trying to understand how libvirt uses firewalld


I recently installed a test box using CentOS 8 and installed a CentOS 8 guest
via libvirt (KVM).
I need to use "routed" forwarding as the datacenter only gives me individual IPs
which are routed to the physical interface and the switch only accepts packets
with a well-known MAC address.

On the host I enabled firewalld and moved the guest to a specific firewalld zone. I verified that libvirt is detecting firewalld.

My idea was that I could use this to create somewhat fine-grained filters on the
host for traffic from the internet to the guest (and possibly vice-versa).

However it seems like that does not work the way I wanted:
It seems as if nothing changes when I allow/disallow SSH for that zone. I can
still ssh from the internet to the guest.

After several reads on the documentation I have a guess of what might be going
on but I'd like to confirm that:

If firewalld is active on the host, libvirt will attempt to place the bridge
interface of a libvirt virtual network into the firewalld zone named "libvirt" (thus making all guest->host traffic on that network subject to
the rules of the "libvirt" zone).
Does that mean libvirt's firewalld usage is ONLY for traffic guest->host and does not affect all other traffic (e.g. host->guest, guest<->internet)? That sounds incredibly narrow (and not very useful for me) but it would explain why I don't see any effects in my experiment...

In a related note it would be nice if there was a way to make routed setups with individual IPs easier. This problem hunts me for more than 10 years (I think I posted something in 2009 - still the same problem basically) and it would be nice if libvirt could somehow support this use case better:

I want to allow traffic guest <-> internet in a routed setup. libvirt generates iptables rules like these:

Chain LIBVIRT_FWO (1 references)

pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br-private * 0 0 REJECT all -- br-private * reject-with icmp-port-unreachable 0 0 ACCEPT all -- br-public * (NETWORK IP ) 43 3232 REJECT all -- br-public * reject-with icmp-port-unreachable

I my case "NETWORK IP" is a /32 IPv4 and AFAIK I have to put the host's IPv4 here (which is basically the router) so I can assign the guest IP inside the VM. What I need is basically a rule like ACCEPT one above but with the GUEST IP. I have some elaborate Python script which I can use as a "network" hook but that requires parsing output of "iptables" due to libvirt's events (e.g. libvirtd restart triggers one "plugged" event per VM).

Thank you very much,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]