Bug 1638342
Summary: | libvirt NAT'ed gues cannot access internet when firewalld is active [regression] | ||
---|---|---|---|
Product: | [Community] Virtualization Tools | Reporter: | post+redhat |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | NEW --- | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | crobinso, ilmostro7, laine, libvirt-maint, lucas.yamanishi, post+redhat |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
post+redhat
2018-10-11 11:09:06 UTC
What distro are you on? What firewalld version? Debian testing, firewalld 0.6.2. If you add FirewallBackend=iptables to /etc/firewalld/firewalld.conf and restart firewalld, libvirtd, and the default network, (or maybe just reboot, the ordering may be weird), does that fix things? Fedora's firewalld package overwrites the default to be iptables, because the new nftables default backend breaks libvirt NAT, so maybe debian should do the same. https://bugzilla.redhat.com/show_bug.cgi?id=1623868 libvirt and firewalld developers are currently discussing how to make libvirt+firewalld+nftables work together properly. Doing so will take effort/code in both libvirt and firewalld. In the meantime, all distros should be keeping FirewallBackend=iptables in /etc/firewalld/firewalld.conf. (BTW, just restarting firewalld.service should be enough to get the change to take effect - libvirtd watches for restarts of firewalld, and reloads all of its firewall rules whenever it detects that event.) You should file a bug against the firewalld package on the downstream bugtracker for debian (bugs.debian.org), since the change required is something that should be made only to the downstream build of firewalld on debian. Confirmed, setting FirewallBackend=iptables fixes the problem. I will report a bug in Debian, but of course fixing this in every distribution one-by-one is not going to scale... Same issue observed in Archlinux. Since Arch tends to follow upstream, I suspect the approach taken will be to wait for the libvirt and/or firewalld maintainers to address this. In the meantime, there is an open bug that follows the developments here. It was addressed upstream several months ago. It's now just waiting on firewalld to release firewalld-0.7.0 which contains support for rule priorities (a requirement for the fix). |