Put the rule in a network hook script (https://www.libvirt.org/hooks.html)
Le mar. 28 déc. 2021 à 14:49, Nick <[email protected]> a écrit : > Using KVM/libvirt in NAT mode to run VM guests needs forwarding to be > enabled in order to redirect host port to vm port. Libvirt add iptables > rules to do it's magic in addition I had to add some more rules like: > > iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j > ACCEPT > > or > > firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o > virbr0 -j ACCEPT > > > This works on the fly but not when firewalld is reload because the rule > goes at the bottom of the FORWARD chain where it's supposed to be at the > top. > > > This works > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere > LIBVIRT_FWX all -- anywhere anywhere > LIBVIRT_FWI all -- anywhere anywhere > LIBVIRT_FWO all -- anywhere anywhere > > > This doesn't work > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > LIBVIRT_FWX all -- anywhere anywhere > LIBVIRT_FWI all -- anywhere anywhere > LIBVIRT_FWO all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > > > As it seems there is no way to insert the needed rule at the top even > with -I FORWARD 1 upon firewall-cmd --reload, so what options there are > left to avoid additional work every time firewalld is reloaded? > > > There are a number of articles on the topic (qemu hook hack etc) but non > of them seems to provide a working solution for this case. > > > Please advice. > >
