Public bug reported:
After "auto security updates" updated my libvirt I have noticed that
forward mode open is adding LIBVIRT rules to my iptables for the default
network. This was supposed to happen with forward mode nat, but not with
forward mode open.
apt-cache policy libvirt-daemon:
libvirt-daemon:
Installed: 6.0.0-0ubuntu8.16
Candidate: 6.0.0-0ubuntu8.16
Version table:
*** 6.0.0-0ubuntu8.16 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
100 /var/lib/dpkg/status
6.0.0-0ubuntu8 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
lsb_release -rd:
Description: Ubuntu 20.04.3 LTS
Release: 20.04
VM network settings:
virsh net-dumpxml --inactive default
<network>
<name>default</name>
<uuid>17c58686-736c-49e4-8ae9-99a8d25f032c</uuid>
<forward mode='open'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:f6:68:91'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
What I expect to happen:
Because I have forward mode='open' I expect that when libvirtd gets restarted
that it will NOT load its own rules into my firewall. This has been the case
for me since mode open was added.
What is happening:
(staging) root@server:~$ iptables-save|grep -i virt
(staging) root@server:~$ service libvirtd restart
(staging) root@server:~$ iptables-save|grep -i virt
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE
--to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE
--to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Tags: firewall libvirt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1971619
Title:
forward mode open is adding libvirt iptables rules
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1971619/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
