Re: Shorewall and libvirt
On Jo, 06 mai 21, 17:18:26, Charles Curley wrote: > > I will. I believe the Powers That Be at Debian prefer one file a bug > report with Debian, and the Debian maintainers will file an upstream > bug if necessary. Anyway, that's the course I plan to take. Do feel free to file bugs directly with upstream. You should also demonstrate the bug is not due to a change made by Debian and it exists also in the latest upstream version. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser signature.asc Description: PGP signature
Re: Shorewall and libvirt
On Thu, 6 May 2021 21:25:44 +0200 john doe wrote: > > I missed it. Sorry. > > > > It is hard to spot it, I was simply mentioning it to let you validate > what I was saying and not to put you on the spot! No worries. I did not take it as putting me on the spot. > > >> > >> > >> Remember that Bullseye as nftables per default, you might want to > >> switch back to iptables for Shorewall to work properly. > > > > Done, thank you. > > > > :) > > > > During this whole fiasco, I noticed a problem with virtmanager. The > > Bullseye version lets the user edit the XML. This is nice, because > > it then applies whatever changes the user makes. However, as soon > > as you hit the apply button, the displayed XML reverts to the > > original. The file is correct, as indicated by cat, but the display > > is wrong. Similarly, if you edit externally, even with virsh > > net-edit, the GUI does not pick up the changes. I believe this is a > > serious bug. > > I'm only using the CLI. Probably a good idea for anything more intricate than starting a VM. > > I would file a bugreport about this on the libvirt mailing list or on > Github! :) I will. I believe the Powers That Be at Debian prefer one file a bug report with Debian, and the Debian maintainers will file an upstream bug if necessary. Anyway, that's the course I plan to take. Thanks again. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: Shorewall and libvirt
On 5/6/2021 8:13 PM, Charles Curley wrote: On Thu, 6 May 2021 09:49:29 +0200 john doe wrote: First you need to disable libvirt from playing with iptables, I changed (virsh net-edit default) from: to: Thank you, that seems to have worked. Then you can use whatever firewalling solution you like (this is documented in Libvirt's doc). I missed it. Sorry. It is hard to spot it, I was simply mentioning it to let you validate what I was saying and not to put you on the spot! Remember that Bullseye as nftables per default, you might want to switch back to iptables for Shorewall to work properly. Done, thank you. :) During this whole fiasco, I noticed a problem with virtmanager. The Bullseye version lets the user edit the XML. This is nice, because it then applies whatever changes the user makes. However, as soon as you hit the apply button, the displayed XML reverts to the original. The file is correct, as indicated by cat, but the display is wrong. Similarly, if you edit externally, even with virsh net-edit, the GUI does not pick up the changes. I believe this is a serious bug. I'm only using the CLI. I would file a bugreport about this on the libvirt mailing list or on Github! :) -- John Doe
Re: Shorewall and libvirt
On Thu, 6 May 2021 09:49:29 +0200 john doe wrote: > First you need to disable libvirt from playing with iptables, I > changed (virsh net-edit default) from: > > > to: > > Thank you, that seems to have worked. > > Then you can use whatever firewalling solution you like (this is > documented in Libvirt's doc). I missed it. Sorry. > > > Remember that Bullseye as nftables per default, you might want to > switch back to iptables for Shorewall to work properly. Done, thank you. During this whole fiasco, I noticed a problem with virtmanager. The Bullseye version lets the user edit the XML. This is nice, because it then applies whatever changes the user makes. However, as soon as you hit the apply button, the displayed XML reverts to the original. The file is correct, as indicated by cat, but the display is wrong. Similarly, if you edit externally, even with virsh net-edit, the GUI does not pick up the changes. I believe this is a serious bug. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: Shorewall and libvirt
On 5/6/2021 5:03 AM, Charles Curley wrote: For years, up through Buster, I have had a nice setup with virtual machines on my laptops, with firewalling provided by shorewall and rules I have added over the years. As I move from network to network, the firewall is reconfigured, and the VMs continue to work. I also have scripts that detect my home networks, and re-do the firewall for use on the home network. Now, with Bullseye, I seem to be hitting a brick wall. Something -- libvirt?? -- is mucking with my firewalling and breaking the virtual internal networking. What is the preferred way of running libvirt on a laptop? I do not *have* to have shorewall, but would like some sort of firewall tool. First you need to disable libvirt from playing with iptables, I changed (virsh net-edit default) from: to: Then you can use whatever firewalling solution you like (this is documented in Libvirt's doc). Remember that Bullseye as nftables per default, you might want to switch back to iptables for Shorewall to work properly. -- John Doe
Shorewall and libvirt
For years, up through Buster, I have had a nice setup with virtual machines on my laptops, with firewalling provided by shorewall and rules I have added over the years. As I move from network to network, the firewall is reconfigured, and the VMs continue to work. I also have scripts that detect my home networks, and re-do the firewall for use on the home network. Now, with Bullseye, I seem to be hitting a brick wall. Something -- libvirt?? -- is mucking with my firewalling and breaking the virtual internal networking. What is the preferred way of running libvirt on a laptop? I do not *have* to have shorewall, but would like some sort of firewall tool. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
