Package: libvirt-daemon Version: 3.0.0-4+deb9u3 Severity: normal Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? I set up a routed network for virtual machines with this configuration: <network> <name>default</name> <uuid>eabed2d7-13e3-4bde-a812-f6bb6ce881a6</uuid> <forward mode='route'/> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:9c:a3:fc'/> <ip address='192.168.208.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.208.128' end='192.168.208.254'/> </dhcp> </ip> </ip> </network> * What exactly did you do (or not do) that was effective (or ineffective)? I start the virtual network with this command: # virsh net-start default * What was the outcome of this action? libvirt adds these rules to the beginning of the FORWARD chain. This completely bypasses any pre-existing rules and makes it impossible to do packet filtering for virtual machines. -A FORWARD -d 192.168.208.0/24 -o virbr0 -j ACCEPT -A FORWARD -s 192.168.208.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable * What outcome did you expect instead? Either the rules should be not added at all - or they should be added at the end of the FORWARD chain, so that they will not bypass existing rules and allow network filtering for virtual machines. *** End of the template - remove these template lines *** -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (500, 'stable') Architecture: arm64 (aarch64) Foreign Architectures: armel, armhf Kernel: Linux 4.17.2 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=cs_CZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libvirt-daemon depends on: ii libapparmor1 2.11.0-3+deb9u2 ii libaudit1 1:2.6.7-2 ii libavahi-client3 0.6.32-2 ii libavahi-common3 0.6.32-2 ii libblkid1 2.29.2-1+deb9u1 ii libc6 2.24-11+deb9u3 ii libcap-ng0 0.7.7-3+b1 ii libdbus-1-3 1.10.26-0+deb9u1 ii libdevmapper1.02.1 2:1.02.137-2 ii libfuse2 2.9.7-1 ii libgnutls30 3.5.8-5+deb9u3 ii libnetcf1 1:0.2.8-1+b2 ii libnl-3-200 3.2.27-2 ii libnl-route-3-200 3.2.27-2 ii libnuma1 2.0.11-2.1 ii libparted2 3.2-17 ii libpcap0.8 1.8.1-3 ii libpciaccess0 0.13.4-1+b2 ii librados2 10.2.5-7.2 ii librbd1 10.2.5-7.2 ii libsasl2-2 2.1.27~101-g0780600+dfsg-3 ii libselinux1 2.6-3+b3 ii libssh2-1 1.7.0-1 ii libudev1 232-25+deb9u2 ii libvirt0 3.0.0-4+deb9u3 ii libxen-4.8 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 ii libxenstore3.0 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii libyajl2 2.1.0-2+b3 Versions of packages libvirt-daemon recommends: ii libxml2-utils 2.9.4+dfsg1-2.2+deb9u2 ii netcat-openbsd 1.130-3 ii qemu 1:2.8+dfsg-6+deb9u4 Versions of packages libvirt-daemon suggests: ii libvirt-daemon-system 3.0.0-4+deb9u3 pn numad <none> -- no debconf information