On Thu, Mar 27, 2025 at 11:39:38AM +0300, Alexey Kashavkin wrote:
> Hi,
>
> I’m trying to understand how firewall filter works for isolated network in libvirt v11.1.0. When I start the network I can see following rules in nftables:
>
> table ip libvirt_network {
> chain forward {
> type filter hook forward priority filter; policy accept;
> counter packets 0 bytes 0 jump guest_cross
> counter packets 0 bytes 0 jump guest_input
> counter packets 0 bytes 0 jump guest_output
> }
>
> chain guest_output {
> iif "virbr3" counter packets 0 bytes 0 reject
> }
>
> chain guest_input {
> oif "virbr3" counter packets 0 bytes 0 reject
> }
>
> chain guest_cross {
> iif "virbr3" oif "virbr3" counter packets 0 bytes 0 accept
> }
>
> chain guest_nat {
> type nat hook postrouting priority srcnat; policy accept;
> }
> }
>
> But when I start ping from one VM to another on the same isolated network, I don't see an increase in counters in either chain.
>
> In the libvirt code, I found a comment in src/network/network_nftables.c:
>
> /**
> * nftablesAddForwardAllowCross:
> *
> * Add a rule to @fw to allow traffic to go across @iface (the virtual
> * network's bridge) from one port to another. This allows all traffic
> * between guests on the same virtual network.
> */
>
> But it seems that these rules don't work and are not needed. If I delete this table or some chains, nothing happens. VMs have connectivity with each other on this network.
>
> What are these rules for?
This is inherited from our old iptables impl, where this was probably
needed to workaround a default REJECT policy in the table. Quite
possibly redundant in nftables with our use of dedicated tables.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
