Please enable firewalld support in libvirtd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
I use the firewalld package to manage my firewall configuration. I just installed the libvirt-daemon set of packages (see below) and libvirtd registers this error in the journal:
libvirtd[1063]: internal error: firewalld is set to use the nftables backend, but the required firewalld 'libvirt' zone is missing. Either set the firewalld backend to 'iptables', or ensure that firewalld has a 'libvirt' zone by upgrading firewalld to a version supporting rule priorities (0.7.0+) and/or rebuilding libvirt with --with-
Looking at the firewalld status there is indeed no 'libvirt' zone so the problem reported is real.
As I understand it, the 'iptables' firewalld backend has been deprecated a couple of years ago in favor of the 'nftables' backend, so setting the backend to a deprecated one isn't a good solution.
In the libvirt package's debian/rules I see:
WITH_FIREWALLD = -Dfirewalld=
So firewalld support is indeed disabled in Ubuntu.
Could you please enable it?
This is on Ubuntu 21.04.
Relevant package versions:
firewalld 0.9.3-2ubuntu1
libvirt-daemon 7.0.0-2ubuntu2
libvirt-
libvirt-
libvirt-
libvirt-
libvirt-
More information I should have mentioned earlier:
The impact of this bug is that libvirt can't start the default network:
bauermann@ popigai: ~$ virsh -c qemu:///system net-start default firewalld- zone
error: Failed to start network default
error: internal error: firewalld is set to use the nftables backend, but the required firewalld 'libvirt' zone is missing. Either set the firewalld backend to 'iptables', or ensure that firewalld has a 'libvirt' zone by upgrading firewalld to a version supporting rule priorities (0.7.0+) and/or rebuilding libvirt with --with-
bauermann@ popigai: ~$ echo $?
1
The workaround is to add a zone="trusted" attribute to the bridge node of the network XML definition:
<network> default< /name> d20d5db0- 4a01-4422- 8bcb-8b582d0193 56</uuid> "52:54: 00:13:28: 6a"/> "192.168. 122.1" netmask= "255.255. 255.0"> 192.168. 122.2" end="192. 168.122. 254"/>
<name>
<uuid>
<forward mode="nat">
<nat>
<port start="1024" end="65535"/>
</nat>
</forward>
<bridge name="virbr0" zone="trusted" stp="on" delay="0"/>
<mac address=
<ip address=
<dhcp>
<range start="
</dhcp>
</ip>
</network>