[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
For the record I was sure to clear (and check they were gone) all libvirt rules between tests using iptables-restore -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
Thank you for checking! It seems I will need to retest versions, i was simply checking if it added ANY libvirt rules (iptables-save|grep -i virt), as we expected "open" to NOT add any firewall rules. I was not checking for specific libvirt rules. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
Thanks for the followup, Jeff. I tried to reproduce the bug locally but failed. Here are the steps I did: 1) Inside a Focal test environment, installed all the libvirt packages mentioned by you. 2) Verified that the iptables rules added by libvirt are also present, as in your case. 3) Edited (virsh net-edit --network default) the XML file and changed the forward mode to "open", and restarted the libvirt service. 4) Noticed that the iptables rules are *still* present and exactly as they were before the libvirt restart. This is because, as Lena explained, these rules need to be cleaned up manually. 5) Restarted the machine in order to guarantee a clean environment. 6) Verified that the libvirt service is still active, but now the iptables rules are: # iptables-save | grep -i virt :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT :LIBVIRT_FWI - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWX - [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT which is different than before, and reflect what I'd expect from the "open" forward mode. The test was made using the following packages: # dpkg -l | grep libvirt ii libvirt-clients 6.0.0-0ubuntu8.16 amd64Programs for the libvirt library ii libvirt-daemon 6.0.0-0ubuntu8.16 amd64Virtualization daemon ii libvirt-daemon-driver-qemu 6.0.0-0ubuntu8.16 amd64Virtualization daemon QEMU connection driver ii libvirt-daemon-driver-storage-rbd6.0.0-0ubuntu8.16 amd64Virtualization daemon RBD storage driver ii libvirt-daemon-system6.0.0-0ubuntu8.16 amd64Libvirt daemon configuration files ii libvirt-daemon-system-systemd6.0.0-0ubuntu8.16 amd64Libvirt daemon configuration files (systemd) ii libvirt0:amd64 6.0.0-0ubuntu8.16 amd64library for interfacing with different virtualization systems Could you please double check and make sure that your rules are indeed being cleaned before you restart the libvirt service? It seems to me that this may be the root cause of what you're experiencing. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
Thank you for the reply. I am certain that I removed the rules between each test. I agree that it could be a different package, I better go through my dpkg log and figure out whats going on here. Is there any way somebody could confirm that they do not see this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
Hello Jeff, From your comment it looks like you rolled back the packages correctly. When testing did you remove the existing rules libvirt provided before restarting libvirtd? If not they may have been left over from the previous rules load. Otherwise it may be possible that a new version of a different package is causing the issue. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
It seems to be present all the way back to 6.0.0-0ubuntu2 which isas far as i could find in an old changelog... is it possible im not rolling the proper packages back? I have been rolling back these debs: libvirt0_6.0.0-0ubuntu2_amd64.deb libvirt-daemon-driver-qemu_6.0.0-0ubuntu2_amd64.deb libvirt-daemon-system-systemd_6.0.0-0ubuntu2_amd64.deb libvirt-clients_6.0.0-0ubuntu2_amd64.deb libvirt-daemon-driver-storage-rbd_6.0.0-0ubuntu2_amd64.deb libvirt-dev_6.0.0-0ubuntu2_amd64.deb libvirt-daemon_6.0.0-0ubuntu2_amd64.deb libvirt-daemon-system_6.0.0-0ubuntu2_amd64.deb (staging) root@server:~$ iptables-save|grep -i virt (staging) root@server:~$ service libvirtd restart (staging) root@server:~$ iptables-save|grep -i virt :LIBVIRT_FWI - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWX - [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill (staging) root@server:~$ iptables-restore < /etc/iptables/rules.v4 (staging) root@server:~$ dpkg -l | grep libvirt ii libvirt-clients 6.0.0-0ubuntu2 amd64Programs for the libvirt library ii libvirt-daemon6.0.0-0ubuntu2 amd64Virtualization daemon ii libvirt-daemon-driver-qemu6.0.0-0ubuntu2 amd64Virtualization daemon QEMU connection driver ii libvirt-daemon-driver-storage-rbd 6.0.0-0ubuntu2 amd64Virtualization daemon RBD storage driver ii libvirt-daemon-system 6.0.0-0ubuntu2 amd64Libvirt daemon configuration files ii libvirt-daemon-system-systemd 6.0.0-0ubuntu2 amd64Libvirt daemon configuration files (systemd) ii libvirt-dev:amd64 6.0.0-0ubuntu2 amd64development files for the libvirt library ii libvirt-glib-1.0-0:amd64 3.0.0-1 amd64libvirt GLib and GObject mapping library ii libvirt0:amd646.0.0-0ubuntu2 amd64library for interfacing with different virtualization systems ii python3-libvirt 6.1.0-1 amd64libvirt Python 3 bindings (staging) root@server:~$ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
I found it was 6.0.0-0ubuntu8 and I am triggering the bug even while that version is installed, which feels wrong... How would I be the first to notice this after 2 years? it seems unlikely, but here we are -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
Thank you for the instructions on how to test old versions. I was wrong above when i said it was not present in 8.8, indeed it was but I had not noticed it until more recently. I have tested back to 8.1 and I confirm it was there as well. I am unable to get/test 8.0 and i do not know what the version before that is. $ pull-lp-debs libvirt 6.0.0-0ubuntu8.0 Source package lookup failed, trying lookup of binary package libvirt The binary package 'libvirt' version 6.0.0-0ubuntu8.0 does not exist in the Ubuntu primary archive for architecture amd64 The source package 'libvirt' version 6.0.0-0ubuntu8.0 does not exist in the Ubuntu primary archive Can I help more? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
Thanks Jeff for filing this bug report. To work on this it would greatly help to be able to pinpoint which Focal update introduced the problem. One way to do this is to download one version after the other, install the packages and test if the bug is present. Something along these lines: apt install --no-install-recommends ubuntu-dev-tools dpkg -l | grep libvirt # check which libvirt pkgs are installed pull-lp-debs libvirt 6.0.0-0ubuntu8.9 # for example dpkg -i Then: verify if bug is present. If not present >= proceed with version ubuntu8.10. If present, rollback the the *previous* version and test again to be really sure the buggy version has been found. (Note: this shouldn't be harmful but it obviously not the recommended way to manage packages, do this on a test system.) Do you think you can perform this testing and let us know your findings? While waiting for more info I'm marking this as Incomplete for now. Thanks! ** Changed in: libvirt (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
This bug definitely did not exist in 6.0.0-0ubuntu8.8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
I was able to confirm this bug exists in 6.0.0-0ubuntu8.15 as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1971619] Re: forward mode open is adding libvirt iptables rules
I also filed this bug directly with the libvirt team at: https://gitlab.com/libvirt/libvirt/-/issues/307 ** Bug watch added: gitlab.com/libvirt/libvirt/-/issues #307 https://gitlab.com/libvirt/libvirt/-/issues/307 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971619 Title: forward mode open is adding libvirt iptables rules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
