forward mode open is adding libvirt iptables rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
After "auto security updates" updated my libvirt I have noticed that forward mode open is adding LIBVIRT rules to my iptables for the default network. This was supposed to happen with forward mode nat, but not with forward mode open.
apt-cache policy libvirt-daemon:
libvirt-daemon:
Installed: 6.0.0-0ubuntu8.16
Candidate: 6.0.0-0ubuntu8.16
Version table:
*** 6.0.0-0ubuntu8.16 500
500 http://
500 http://
100 /var/lib/
6.0.0-0ubuntu8 500
500 http://
lsb_release -rd:
Description: Ubuntu 20.04.3 LTS
Release: 20.04
VM network settings:
virsh net-dumpxml --inactive default
<network>
<name>
<uuid>
<forward mode='open'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address=
<ip address=
<dhcp>
<range start='
</dhcp>
</ip>
</network>
What I expect to happen:
Because I have forward mode='open' I expect that when libvirtd gets restarted that it will NOT load its own rules into my firewall. This has been the case for me since mode open was added.
What is happening:
(staging) root@server:~$ iptables-save|grep -i virt
(staging) root@server:~$ service libvirtd restart
(staging) root@server:~$ iptables-save|grep -i virt
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
I also filed this bug directly with the libvirt team at: https:/ /gitlab. com/libvirt/ libvirt/ -/issues/ 307