UFW blocks libvirt bridged traffic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: ufw
Basically the issue is....
I use KVM for my virtual machines. These machines grab an IP from the LAN and are used from the outside network.
I run 'ufw enable' on the host. From there is doesn't matter how I configure UFW, the traffic to the VM's is killed.
I'm attaching the log of a fairly lengthy conversation in IRC which may help keep me form having to regurgitate everything. I will if that's what's needed.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: ufw 0.30pre1-0ubuntu2
ProcVersionSign
Uname: Linux 2.6.32-21-server x86_64
NonfreeKernelMo
Architecture: amd64
Date: Sat May 1 23:58:56 2010
InstallationMedia: Ubuntu-Server 10.04 "Lucid Lynx" - Alpha amd64 (20100404)
PackageArchitec
ProcEnviron:
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ufw
Related branches
summary: |
- UFW blocks all KVM traffic + UFW blocks bridged traffic |
Seems this is the relevant line in the IRC conversation:
22:24 < MTecknology> cclausen: May 1 22:24:22 pessum kernel: [19981.061455] [UFW BLOCK] IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=vnet1 SRC=192.168.3.6 DST=192.168.1.5 LEN=196 TOS=0x10 PREC=0x00 TTL=63 ID=40752 DF PROTO=TCP SPT=55015 DPT=22 WINDOW=126 RES=0x00 ACK PSH URGP=0
Using libvirt with bridging requires additional configuration. For details, see: wiki.libvirt. org/page/ Networking# Creating_ network_ initscripts
http://
Specifically, this section:
"The final step is to disable netfilter on the bridge:
# cat >> /etc/sysctl.conf <<EOF bridge- nf-call- ip6tables = 0 bridge- nf-call- iptables = 0 bridge- nf-call- arptables = 0
net.bridge.
net.bridge.
net.bridge.
EOF
# sysctl -p /etc/sysctl.conf
It is recommended to do this for performance and security reasons. See Fedora bug #512206. Alternatively you can configure iptables to allow all traffic to be forwarded across the bridge:
# echo "-I FORWARD -m physdev --physdev- is-bridged -j ACCEPT" > /etc/sysconfig/ iptables- forward- bridged rules=ipv4: filter: /etc/sysconfig/ iptables- forward- bridged
# lokkit --custom-
# service libvirtd reload
"
Translated into Ubuntu/ufw language, either: sysctl. conf or add a file with the above to /etc/sysctl.d or before. rules: is-bridged -j ACCEPT
a) disable netfilter on the bridge via /etc/sysctl.conf, /etc/ufw/
b) configure iptables to allow all traffic to be forwarded across the bridge by adding the following to /etc/ufw/
-I FORWARD -m physdev --physdev-