Skip to main content
Topic: libvirt - VM’s not getting IP Addresses (Read 735 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

libvirt - VM’s not getting IP Addresses

Downgraded the package world/libvirt from 1:10.4.0-1 to 1:10.3.0-1  solved the problem.

Later edit: Found that the problem is related to UFW.
Starting with Libvirt 10.4, the default NAT Network is not working with UFW.

Re: libvirt - VM’s not getting IP Addresses

Reply #1
Indeed the UFW generated rules conflict with libvirt's.
Using iptables directly for your custom rules instead of using UFW fixes the problem.

artist

Re: libvirt - VM’s not getting IP Addresses

Reply #2
I just read this on the gitlab issues for libvirt, seems like maybe ufw and libvirt have conflicts with eachother. I mean both need better configuration if im reading it correctly. I just use standard nftables and everything seems to work ok with NAT on libvirt.

https://gitlab.com/libvirt/libvirt/-/issues/644

Re: libvirt - VM’s not getting IP Addresses

Reply #3
I just read this on the gitlab issues for libvirt, seems like maybe ufw and libvirt have conflicts with eachother. I mean both need better configuration if im reading it correctly. I just use standard nftables and everything seems to work ok with NAT on libvirt.

https://gitlab.com/libvirt/libvirt/-/issues/644

Hi steve_,

I found an easy fix for the iptables- ufw combo, just add the line  firewall_backend = "iptables" into /etc/libvirt/network.conf file.

Regarding the nftables, I didn't managed libvirt to works as expected.

I removed the ufw & ufw-runit packages and installed the nftables & nftables-runit.
With the nftables service not enabled on boot, the VM’s are getting IP Addresses.

If I manually start the nftables service, the problem appear, no IPs for VM’s.
If I manually stop the nftables service, the problem persist, again, no IPs for VM’s, a reboot is required.

Re: libvirt - VM’s not getting IP Addresses

Reply #4
Hi iojxer,

Best to stick with what works for you, if libvirt and ufw is working with "firewall_backend = iptables" in /etc/libvirt/network.conf then that is good.

If you are interested, my nftables is just the IPv4/IPv6 Simple & Safe firewall configuration that comes with the ntables package in /etc/nftables.conf
I dont have any rules set for iptables in /etc/iptables/iptables.rules

When i installed nftables i had to make sure i save the rules. Not sure if this is relevant or not for runit?
Im on openrc so it looked like this.

# rc-service nftables save
# rc-service nftables start

then finally

# rc-update add nftables



Re: libvirt - VM’s not getting IP Addresses

Reply #5
Hi steve,

For me the default configuration that comes with the ntables package in /etc/nftables.conf didn't work, no matter what, regardless that I have loaded inet filter, ip libvirt_network, ip6 libvirt_network tables.
I'm not skilled enough to efficient troubleshoot this issue.
Anyway, I was lucky enough to find a workaround here https://forums.gentoo.org/viewtopic-p-8674890.html#8674890.
So, I slightly modified the default /etc/nftables.conf  file according and magically works.  :)

Code: [Select]
define qemu_bridge_if = "virbr0"

table ip nat {
   chain postrouting {
      type nat hook postrouting priority 100; policy accept;
     
      # "masquerade" means the servers to which one connects from the VM can't tell packets are coming from the latter
      ip saddr 192.168.122.0/24 masquerade
   }
}

table inet filter {
   # "input" is the name of the chain
   chain input {
     
      # -------------------------------- qemu
      iifname $qemu_bridge_if accept  comment "accept from virtual VM"
     
      # packets that reach here are bound to be dropped
      counter comment "count dropped packets"
   }

   chain forward {
      type filter hook forward priority 0; policy drop;
     
      # -------------------------------- qemu
      iifname $qemu_bridge_if accept  comment "accept VM interface as input"
      oifname $qemu_bridge_if accept comment "accept VM interface as output"
     
      counter comment "count dropped packets"
   }
}