| View previous topic :: View next topic |
| Author |
Message |
mani001
Guru
Joined: 04 Dec 2004
Posts: 487
Location: Oleiros
|
 Posted: Sun Nov 07, 2021 9:27 am Post subject: qemu/virt-manager and nftables [solved] |
 |
|
Hi,
I'm trying to migrate from iptables to nftables but can't get internet access in qemu (through virt-manager). I (e)selected `xtables-nft-multi` as iptables backend and when I run
| Code: | | systemctl start libvirtd |
and then
I can see a bunch of rules added to my (vanilla) "ruleset"
| Quote: | table ip filter {
chain LIBVIRT_INP {
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 5211 bytes 1636931 jump LIBVIRT_INP
}
chain LIBVIRT_OUT {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 8986 bytes 10022369 jump LIBVIRT_OUT
}
chain LIBVIRT_FWO {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump LIBVIRT_FWX
counter packets 0 bytes 0 jump LIBVIRT_FWI
counter packets 0 bytes 0 jump LIBVIRT_FWO
}
chain LIBVIRT_FWI {
}
chain LIBVIRT_FWX {
}
}
table ip nat {
chain LIBVIRT_PRT {
}
}
table ip6 filter {
chain LIBVIRT_INP {
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 4 bytes 324 jump LIBVIRT_INP
}
chain LIBVIRT_OUT {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 18 bytes 1217 jump LIBVIRT_OUT
}
chain LIBVIRT_FWO {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump LIBVIRT_FWX
counter packets 0 bytes 0 jump LIBVIRT_FWI
counter packets 0 bytes 0 jump LIBVIRT_FWO
}
chain LIBVIRT_FWI {
}
chain LIBVIRT_FWX {
}
}
table ip6 nat {
chain LIBVIRT_PRT {
}
}
|
but still don't have internet access from my Windows guest inside qemu. Any clues?
Cheers.
Last edited by mani001 on Wed Oct 12, 2022 11:16 am; edited 1 time in total |
|
| Back to top |
|
 |
pa4wdh
l33t
Joined: 16 Dec 2005
Posts: 910
|
| Posted: Sun Nov 07, 2021 10:03 am Post subject: |
|
|
I don't think your nftables is the problem, these rules do absolutely nothing, everything is allowed.
How are you testing the network connectivity? Be aware that if you use the "user" netdev in qemu ping doesn't work from/to guests, that's a limitation of the "user" netdev and does not indicate a problem with the host or the guest.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
| Back to top |
|
|
mani001
Guru
Joined: 04 Dec 2004
Posts: 487
Location: Oleiros
|
| Posted: Sun Nov 07, 2021 10:44 am Post subject: |
|
|
Thanks for the quick reply!!
Inside the Windows guest I'm just using a browser (Edge) to try and connect to some webpage and get an error (network not available or something of the sorts). If I go back to iptables, then it works like a charm.
About the rules...you are probably right. I hadn't even though about it: those are just the rules added by "libvirt". Besides those rules, I have some more along these lines (with minor modifications for the sake of privacy):
| Code: | table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid counter packets 136 bytes 8244 drop comment "early drop of invalid packets"
ct state { established, related } counter packets 1007215 bytes 197409220 accept comment "accept all connections related to connections made by us"
iif "lo" accept comment "accept loopback"
iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter packets 0 bytes 0 accept comment "accept all ICMP types"
tcp dport 1234 accept comment "accept VPN TCP"
udp dport 1234 accept comment "accept VPN UDP"
iifname "tun0" accept comment "accept within VPN"
counter packets 695 bytes 205764 comment "count dropped packets"
} |
but I don't think these should have any effect on qemu/libvirt |
|
| Back to top |
|
|
pa4wdh
l33t
Joined: 16 Dec 2005
Posts: 910
|
| Posted: Sun Nov 07, 2021 11:49 am Post subject: |
|
|
Does libvirt add any rules when you start the VM? Depending on the configuration you may want/need some rules in the forward and/or nat chains.
A bit more information about how it fails would also help. Does it resolve the hostname correctly? Or does it timeout?
You could manually try to connect to some site and see what happens. I don't have a clue how to do that in windoze but on linux i'd use netcat/telnet or openssl to do that.
An other way to diagnose is to run tcpdump on the host to see if you can see the VM's network traffic.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
| Back to top |
|
|
mani001
Guru
Joined: 04 Dec 2004
Posts: 487
Location: Oleiros
|
| Posted: Sun Nov 21, 2021 6:46 pm Post subject: |
|
|
Sorry for the delay... You are right, it's too little information. A little bit more:
No, starting the VM doesn't modify the rules.
I don't think DNS is working: when I type
it says "couldn't find the host www.google...."
Windows diagnosing tools says "Ethernet doesn't have a valid IP setup" (and isn't able to fix it).
I tried listening with tcpdump to both virbr0
| Code: | root@cochi ~ $tcpdump -i virbr0
dropped privs to pcap
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on virbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:42:36.458723 IP 169.254.160.213.61076 > 239.255.255.250.1900: UDP, length 174
19:42:37.460373 IP 169.254.160.213.61076 > 239.255.255.250.1900: UDP, length 174
19:42:38.461498 IP 169.254.160.213.61076 > 239.255.255.250.1900: UDP, length 174
19:42:39.475182 IP 169.254.160.213.61076 > 239.255.255.250.1900: UDP, length 174
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel |
and vnet0 interfaces
| Code: | root@cochi ~ $tcpdump -i vnet0
dropped privs to pcap
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:43:01.325252 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35
19:43:03.309251 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35
19:43:05.293286 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35
19:43:07.341251 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35
19:43:09.325252 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35
19:43:11.309284 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35
19:43:13.293282 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35
19:43:15.341253 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel |
|
|
| Back to top |
|
|
mani001
Guru
Joined: 04 Dec 2004
Posts: 487
Location: Oleiros
|
| Posted: Wed Oct 12, 2022 11:15 am Post subject: |
|
|
Long time, but in case anyone else is struggling with this...following some hints from this thread
https://forums.gentoo.org/viewtopic-t-1148450-highlight-nftables+qemu.html?sid=b7116aa6a5c66d12890a1bd2418ced34
, the rules below (plus whatever else you need) did it for me
| Code: | define qemu_bridge_if = "virbr0"
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# "masquerade" means the servers to which one connects from the VM can't tell packets are coming from the latter
ip saddr 192.168.122.0/24 masquerade
}
}
table inet filter {
# "input" is the name of the chain
chain input {
# -------------------------------- qemu
iifname $qemu_bridge_if accept comment "accept from virtual VM"
# packets that reach here are bound to be dropped
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
# -------------------------------- qemu
iifname $qemu_bridge_if accept comment "accept VM interface as input"
oifname $qemu_bridge_if accept comment "accept VM interface as output"
counter comment "count dropped packets"
}
}
|
192.168.122.0/24 being the subnet setup spanned by qemu. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
