Ubuntu
ufw package

iptables rules for NAT may break ufw setups

Bug #595501 reported by Loïc Minier on 2010-06-17

This bug affects 4 people

	Status	Importance	Assigned to
libvirt	Won't Fix	Medium	redhat-bugs #533193
libvirt (Ubuntu)	Invalid	Wishlist	Unassigned
ufw (Ubuntu)	Won't Fix	Wishlist	Unassigned

Bug Description

Hi there

If one tries to use libvirt vms with a NATed network, libvirtd will insert iptables rules before the earliest ufw rules (ufw-before-forward) in the FORWARD chain, and so breaks ufw semantics.

It would be nice if libvirt could have a special handling for the rules if ufw is present.

Thanks!

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: libvirt-bin 0.7.5-5ubuntu27
ProcVersionSignature: Ubuntu 2.6.32-22.36-server 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-server x86_64
Architecture: amd64
Date: Thu Jun 17 16:10:39 2010
ProcEnviron:
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/zsh
SourcePackage: libvirt

Tags:

Revision history for this message

In Red Hat Bugzilla #533193, Jeremy (jeremy-redhat-bugs) wrote on 2009-11-05:

The default iptables rules added by libvirt preclude having any rules set up on your system to forward traffic to a guest as they include putting REJECT rules into the FORWARD chain

Revision history for this message

In Red Hat Bugzilla #533193, Daniel (daniel-redhat-bugs) wrote on 2009-11-05:

#10

We need to re-arrange the way we add iptables rules to address this in a good manner.

Currently we put them directly into the INPUT/OUTPUT/FORWARD chains, inserting at position 0. This makes it hard for admins to put other rules ahead of our own, since every time we start a new guest its rules get placed ahead of custom rules.

What we need todo is to move all our rules to a custom chain. libvirt_INPUT, libvirt_OUTPUT and libvirt_FORWARD. When libvirtd starts up we should create those 3 chains and insert them at position 0 in the main INPUT, OUTPUT & FORWARD chains. When starting VMs the per-VM rules should be in our custom chain.

This will allow admins to add their own rules to the main INPUT, OUTPUT, FORWARD chains and guarentee they'll always be ahead of any of libvirts per-VM rules.

Revision history for this message

In Red Hat Bugzilla #533193, Bug (bug-redhat-bugs) wrote on 2009-11-16:

#11

This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Revision history for this message

In Red Hat Bugzilla #533193, Mark (mark-redhat-bugs) wrote on 2009-11-19:

#12

Makes sense, moving upstream - it's been like this for a long time now, so there's no particular point in tracking it as a Fedora bug

Revision history for this message

Loïc Minier (lool) wrote on 2010-06-17:

Dependencies.txt Edit (2.7 KiB, text/plain; charset="utf-8")

Revision history for this message

Loïc Minier (lool) wrote on 2010-06-17:

See also bug #573461

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-06-17:

Adding a ufw task as there is probably some work to be done there to make the libvirt integration easier.

Changed in libvirt (Ubuntu):
importance:	Undecided → Wishlist
status:	New → Triaged

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-06-17:

I'm triaging this, but not assigning to me since I don't want to block someone else working on it and I don't have a lot of time for this atm.

Changed in ufw (Ubuntu):
importance:	Undecided → Wishlist
status:	New → Triaged
summary:	- iptables rules for NAT break ufw setups + iptables rules for NAT may break ufw setups

Revision history for this message

Loïc Minier (lool) wrote on 2010-09-02:

It's pretty much the same issue for all three types of "virtual network driver" use cases with libvirt, since libvirt adds iptables rules with REJECTS which you can't override with ufw.

I guess the solution is to tell libvirt to add its rules to configurable chains so that one can hook these chains into a wider firewall config.

Revision history for this message

Loïc Minier (lool) wrote on 2010-09-02:

In fact, the network filters concept in libvirt seems to be a good way to implement this stuff, but it's only for guest interfaces right now

Revision history for this message

In Red Hat Bugzilla #533193, David (david-redhat-bugs) wrote on 2012-03-06:

#13

I'm confused about the status of this issue. Does "moving upstream" mean:
A) a separate bug was submitted in another bug tracker
B) a change in product/component with this remaining the primary bug

In case of A) could we have a URL to the bug?
In case of B) what is the status, has anyone worked on this?

Could the suggestion in comment 1 be implemented in existing installations via manual configuration and if so how should one go about it?

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2013-02-28:

I believe this should be marked invalid by the same rationale as bug 573461. If there are objections please shout and I'll re-open.

Changed in libvirt (Ubuntu):
status:	Triaged → Invalid

Revision history for this message

Mihai Satmarean (mihai-satmarean) wrote on 2014-03-03:

Hi all, after reading all the issues and their solutions, spending some hours on the matter, I am still unable to NAT traffic to the VM from the host Ubuntu 12.04.
Can any of you please post a clear solution?

Revision history for this message

In Red Hat Bugzilla #533193, Ján (jn-redhat-bugs) wrote on 2015-03-17:

#14

*** Bug 972368 has been marked as a duplicate of this bug. ***

Revision history for this message

In Red Hat Bugzilla #533193, Cole (cole-redhat-bugs) wrote on 2016-03-20:

#15

AFAICT this is still relevant with latest libvirt. firewalld may help here, but not all distros use firewalld

Bug Watch Updater (bug-watch-updater) on 2017-10-27

Changed in libvirt:
importance:	Unknown → Medium
status:	Unknown → Confirmed

Revision history for this message

In Red Hat Bugzilla #533193, berrange (berrange-redhat-bugs) wrote on 2018-11-01:

#16

This series moves all libvirt rules into separate chains:

https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html

This makes it practical to install rules ahead of libvirt's rules in iptables default chains, without risk of libvirt constantly inserting more rules in front.

Revision history for this message

In Red Hat Bugzilla #533193, crobinso (crobinso-redhat-bugs) wrote on 2019-07-17:

#17

That code landed upstream, so I guess this is fixed nowadays

Bug Watch Updater (bug-watch-updater) on 2019-09-02

Changed in libvirt:
status:	Confirmed → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-09-03:

#18

This should just all happen automatically in ufw based on bug feedback, so marking ufw as "Won't Fix" instead of "Fix Released" since nothing was needed in ufw (could've used Invalid, but that seemed worse than the other two...)