Re: [libvirt-users] KVM + libvirt + nftables without iptables?
On 10/18/2018 11:09 PM, Roman Vesely wrote: > Michal Privoznik wrote: > >> On 10/18/2018 10:14 AM, Daniel P. Berrangé wrote: >>> On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote: Hi everyone, I use Debian 9.5 Stretch and NFTABLES as a firewall. Using NFTABLES together with IPTABLES is not recommended, but libvirt depends on IPTABLES. Is it safe to run libvirt + kvm + virsh without IPTABLES? By the doc https://libvirt.org/firewall.html, IPTABLES are used for settingup filtering which I do not need. >>> >>> Currently it is *NOT* ok. >> >> Pardon me if I misread the question but I think Roman is actually >> asking if he turns off iptables in libvirt. > > Thank you Michal, you said it exactly. > I only use nftables. > I need to remove iptables and set libvirt to work without them. > >> Well, that would work but >> all the forwarding rules, rules that prevent one domain to see >> traffic of the other, etc - you would have to do them yourself. Or >> trust your guests. > > Yes, I understand and I will create rules manually with NFTABLES. > And I also manage all kvm guests. > > I've found some tips on how to "turn off" iptables in libvirt: > > virsh net-destroy default > virsh net-autostart --disable default > > Is this the right and safe way to remove all dependency to iptables? You also have to make sure none of the domain interfaces will use nwfilter. And I think that's all. Also, the default network is NATed one, which won't fly with nftables. If you still want libvirt to create TAP devices for your domain and plug them into a bridge you can define network type='bridge' (or domain interface of the corresponding type). Michal ___ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
Re: [libvirt-users] KVM + libvirt + nftables without iptables?
Michal Privoznik wrote: > On 10/18/2018 10:14 AM, Daniel P. Berrangé wrote: > > On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote: > >> Hi everyone, > >> > >> I use Debian 9.5 Stretch and NFTABLES as a firewall. > >> Using NFTABLES together with IPTABLES is not recommended, > >> but libvirt depends on IPTABLES. > >> > >> Is it safe to run libvirt + kvm + virsh without IPTABLES? > >> > >> By the doc https://libvirt.org/firewall.html, > >> IPTABLES are used for settingup filtering which I do not need. > > > > Currently it is *NOT* ok. > > Pardon me if I misread the question but I think Roman is actually > asking if he turns off iptables in libvirt. Thank you Michal, you said it exactly. I only use nftables. I need to remove iptables and set libvirt to work without them. > Well, that would work but > all the forwarding rules, rules that prevent one domain to see > traffic of the other, etc - you would have to do them yourself. Or > trust your guests. Yes, I understand and I will create rules manually with NFTABLES. And I also manage all kvm guests. I've found some tips on how to "turn off" iptables in libvirt: virsh net-destroy default virsh net-autostart --disable default Is this the right and safe way to remove all dependency to iptables? Thank you, Roman ___ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
Re: [libvirt-users] KVM + libvirt + nftables without iptables?
On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote: > Hi everyone, > > I use Debian 9.5 Stretch and NFTABLES as a firewall. > Using NFTABLES together with IPTABLES is not recommended, > but libvirt depends on IPTABLES. > > Is it safe to run libvirt + kvm + virsh without IPTABLES? > > By the doc https://libvirt.org/firewall.html, > IPTABLES are used for settingup filtering which I do not need. Currently it is *NOT* ok. With this dual setup, even if traffic is allowed by libvirt's iptables rules, firewalld's nftables rules are likely to block the traffic. IOW, a packet must succeed with both nftables & iptables, and ther's no way for iptables alone to guarantee acceptance. This is known to break libvirt We're exploring how to fix this in libvirt in combination with firewalld's nftables backend, since it also affects Fedora. If not using firewalld, but are using nftables directly, then it is even harder for libvirt and in fact I'm not sure if it is fixable at all in general. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| ___ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
[libvirt-users] KVM + libvirt + nftables without iptables?
Hi everyone, I use Debian 9.5 Stretch and NFTABLES as a firewall. Using NFTABLES together with IPTABLES is not recommended, but libvirt depends on IPTABLES. Is it safe to run libvirt + kvm + virsh without IPTABLES? By the doc https://libvirt.org/firewall.html, IPTABLES are used for settingup filtering which I do not need. Thanks, Roman ___ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users