Bug#942368: libvirt-daemon: firewall rules lost when firewalld restarts

Sam Morris Tue, 15 Oct 2019 03:30:51 -0700

Package: libvirt-daemon
Version: 5.6.0-2
Severity: normal

My virtual machines often lose connectivity to external networks. This
seems to be because libvirt's iptables rules are missing:


    root@fragarach:~# iptables -nv -L FORWARD
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               
destination         
        0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0     
       0.0.0.0/0           
        0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
        0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            
0.0.0.0/0           
        0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            
0.0.0.0/0           
        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            
0.0.0.0/0           
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED,DNAT
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            
0.0.0.0/0           
        0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID PKTTYPE = unicast LOG flags 0 level 4 
prefix "STATE_INVALID_DROP: "
        0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID
        0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            PKTTYPE = unicast LOG flags 0 level 4 prefix 
"FINAL_REJECT: "
        0     0 REJECT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            reject-with icmp-host-prohibited

This is fixed by restarting firewalld:

    root@fragarach:~# systemctl restart libvirtd
    root@fragarach:~# iptables -nv -L FORWARD
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               
destination         
        0     0 LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0     
       0.0.0.0/0           
        0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
        0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            
0.0.0.0/0           
        0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            
0.0.0.0/0           
        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            
0.0.0.0/0           
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED,DNAT
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            
0.0.0.0/0           
        0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
        0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID PKTTYPE = unicast LOG flags 0 level 4 
prefix "STATE_INVALID_DROP: "
        0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID
        0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            PKTTYPE = unicast LOG flags 0 level 4 prefix 
"FINAL_REJECT: "
        0     0 REJECT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            reject-with icmp-host-prohibited

I'm guessing the method that libvirtd uses to watch when firewalld
reloads the firewall, so that libvirt can add its own rules, is not
always effective.

-- System Information:
Debian Release: 10.1
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), 
(550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 
'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libvirt-daemon depends on:
ii  libblkid1           2.33.1-0.1
ii  libc6               2.29-2
ii  libcap-ng0          0.7.9-2
ii  libdbus-1-3         1.12.16-1
ii  libdevmapper1.02.1  2:1.02.155-3
ii  libfuse2            2.9.9-1
ii  libgcc1             1:8.3.0-6
ii  libgnutls30         3.6.9-5
ii  libnetcf1           1:0.2.8-1+b2
ii  libparted2          3.2-25
ii  libpcap0.8          1.8.1-6
ii  libpciaccess0       0.14-1
ii  libselinux1         2.8-1+b1
ii  libudev1            241-7~deb10u1
ii  libvirt0            5.6.0-2
ii  libxenmisc4.11      4.11.1+92-g6c33308a8d-2
ii  libxenstore3.0      4.11.1+92-g6c33308a8d-2
ii  libxentoollog1      4.11.1+92-g6c33308a8d-2
ii  libxml2             2.9.4+dfsg1-7+b3

Versions of packages libvirt-daemon recommends:
ii  libxml2-utils   2.9.4+dfsg1-7+b3
ii  netcat-openbsd  1.195-2
ii  qemu-kvm        1:3.1+dfsg-8+deb10u2

Versions of packages libvirt-daemon suggests:
pn  libvirt-daemon-driver-storage-gluster  <none>
pn  libvirt-daemon-driver-storage-rbd      <none>
pn  libvirt-daemon-driver-storage-zfs      <none>
ii  libvirt-daemon-system                  5.6.0-2
pn  numad                                  <none>

-- no debconf information

Bug#942368: libvirt-daemon: firewall rules lost when firewalld restarts

Reply via email to