Downgraded the package world/libvirt from 1:10.4.0-1 to 1:10.3.0-1 solved the problem.
Later edit: Found that the problem is related to UFW.
Starting with Libvirt 10.4, the default NAT Network is not working with UFW.
Indeed the UFW generated rules conflict with libvirt's.
Using iptables directly for your custom rules instead of using UFW fixes the problem.
artist
I just read this on the gitlab issues for libvirt, seems like maybe ufw and libvirt have conflicts with eachother. I mean both need better configuration if im reading it correctly. I just use standard nftables and everything seems to work ok with NAT on libvirt.
https://gitlab.com/libvirt/libvirt/-/issues/644
Hi steve_,
I found an easy fix for the iptables- ufw combo, just add the line
firewall_backend = "iptables" into /etc/libvirt/network.conf file.
Regarding the nftables, I didn't managed libvirt to works as expected.
I removed the ufw & ufw-runit packages and installed the nftables & nftables-runit.
With the nftables service not enabled on boot, the VM’s are getting IP Addresses.
If I manually start the nftables service, the problem appear, no IPs for VM’s.
If I manually stop the nftables service, the problem persist, again, no IPs for VM’s, a reboot is required.
Hi iojxer,
Best to stick with what works for you, if libvirt and ufw is working with "firewall_backend = iptables" in /etc/libvirt/network.conf then that is good.
If you are interested, my nftables is just the IPv4/IPv6 Simple & Safe firewall configuration that comes with the ntables package in /etc/nftables.conf
I dont have any rules set for iptables in /etc/iptables/iptables.rules
When i installed nftables i had to make sure i save the rules. Not sure if this is relevant or not for runit?
Im on openrc so it looked like this.
# rc-service nftables save
# rc-service nftables start
then finally
# rc-update add nftables
Hi steve,
For me the default configuration that comes with the ntables package in /etc/nftables.conf didn't work, no matter what, regardless that I have loaded
inet filter, ip libvirt_network, ip6 libvirt_network tables.
I'm not skilled enough to efficient troubleshoot this issue.
Anyway, I was lucky enough to find a workaround here https://forums.gentoo.org/viewtopic-p-8674890.html#8674890 (https://forums.gentoo.org/viewtopic-p-8674890.html#8674890).
So, I slightly modified the default /etc/nftables.conf file according and magically works. :)
define qemu_bridge_if = "virbr0"
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# "masquerade" means the servers to which one connects from the VM can't tell packets are coming from the latter
ip saddr 192.168.122.0/24 masquerade
}
}
table inet filter {
# "input" is the name of the chain
chain input {
# -------------------------------- qemu
iifname $qemu_bridge_if accept comment "accept from virtual VM"
# packets that reach here are bound to be dropped
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
# -------------------------------- qemu
iifname $qemu_bridge_if accept comment "accept VM interface as input"
oifname $qemu_bridge_if accept comment "accept VM interface as output"
counter comment "count dropped packets"
}
}