Description of problem: I have a guest whose network is set to "default", which is a NAT network. This used to work fine (the guest could access the internet), but sometime within the last few weeks an update must have broken it: Now, the guest has no internet connection. I can do "systemctl disable firewalld" to fix that, but that's not a proper solution obviously. Version-Release number of selected component (if applicable): libvirt 4.7.0 (Debian testing) The update to 4.7 happened recently, so that fits with the regression, but I don't know which version I had installed when it last worked (likely 4.5 or 4.6). Steps to Reproduce: 1. Have a NAT'ed guest 2. Have firewalld configured 3. (Might be relevant) Have a firewalld zone configure to be used for all traffic from the NAT IP range. (This is because I want the guests to be able to access a server on the host that should not be accessible on the external network my host is connected to.) Actual results: The guest has no internet connectivity. It does not even get DHCP unless I have "dhcp" enabled in firewalld (which also was not necessary before). Expected results: Internet should work fine in the guest. Additional info: The firewalld configuration applet says the virtual network interface is in the "public" zone. I tried switching them to a different zone (the one that 192.168.122.0/24 automatically gets put into), and enabled "dhcp", which fixed DHCP for the guest -- but there does not seem to be a way to allow forwarding in the firewalld applet. And anyway this should not be needed. I also do not remember even seeing the virtual network interfaces in the firewalld configuration, so the fact that they show up there at all now might be related to the fact that internet does not work any more in the guest.
What distro are you on? What firewalld version?
Debian testing, firewalld 0.6.2.
If you add FirewallBackend=iptables to /etc/firewalld/firewalld.conf and restart firewalld, libvirtd, and the default network, (or maybe just reboot, the ordering may be weird), does that fix things?
Fedora's firewalld package overwrites the default to be iptables, because the new nftables default backend breaks libvirt NAT, so maybe debian should do the same. https://bugzilla.redhat.com/show_bug.cgi?id=1623868
libvirt and firewalld developers are currently discussing how to make libvirt+firewalld+nftables work together properly. Doing so will take effort/code in both libvirt and firewalld. In the meantime, all distros should be keeping FirewallBackend=iptables in /etc/firewalld/firewalld.conf. (BTW, just restarting firewalld.service should be enough to get the change to take effect - libvirtd watches for restarts of firewalld, and reloads all of its firewall rules whenever it detects that event.) You should file a bug against the firewalld package on the downstream bugtracker for debian (bugs.debian.org), since the change required is something that should be made only to the downstream build of firewalld on debian.
Confirmed, setting FirewallBackend=iptables fixes the problem. I will report a bug in Debian, but of course fixing this in every distribution one-by-one is not going to scale...
Same issue observed in Archlinux. Since Arch tends to follow upstream, I suspect the approach taken will be to wait for the libvirt and/or firewalld maintainers to address this. In the meantime, there is an open bug that follows the developments here.
It was addressed upstream several months ago. It's now just waiting on firewalld to release firewalld-0.7.0 which contains support for rule priorities (a requirement for the fix).