[libvirt-users] disable libvirt-nwfilter

Michal Privoznik mprivozn at redhat.com
Tue May 7 07:26:02 UTC 2019 

[Please keep the list CC-ed as it may help somebody from future when 
searching for solution to the same problem]
On 5/6/19 6:08 PM, nakata at geekpit.org wrote:
> Am 2019-05-06 16:26, schrieb Michal Privoznik:
>> On 5/6/19 3:44 PM, nakata at geekpit.org wrote:
>>> Hi,
>>>
>>> i want to disable the nwfilter functionality of libvirt.
>>> It's surely nice for some people, nevertheless i don't want libvirt 
>>> to alter any netfilter rules, neither i want the according 
>>> functionality even available.
>>
>> It's not only NWFilter that will inject firewall rules. Depending on
>> configuration it might also be the default network.
>>
>>> I know about nwfilter-undefine, but what i'm looking for is an option 
>>> to globally disable this functionality at all. Some config flag or 
>>> similar.
>>> How can i achieve that?
>>
>> Unless you have a domain <interface/> defined so that it uses a
>> nwfilter then no firwall rules are added by nwfilter code.
>>
>> If you still want to remove nwfilter module then just uninstall it, 
>> e.g. via:
>>
>> dnf remove libvirt-daemon-driver-nwfilter libvirt-daemon-config-nwfilter
>>
>> Michal
> 
> Hi,
> 
> me again.
> Another question libvirt is adding chains. Where do i disable these:
> 
> chains are LIBVIRT-{FWO,FWX,FWI, INP, OUT}
> 
> These are absolutely and explicit unwanted.
> Adding new rich features for folks is a fine thing, but i need an opt out.
> Please, how do i get rid of it?

As I've said, there are two sources which cause libvirt to insert FW 
rules. By uninstalling nwfilter module you've eliminated one. But since 
you're still able to run the domain this step was useless because your 
domain doesn't have nwfilter configured for any of its <interface/>-s 
and thus nwfilter module did nothing but sit there.

The other module that is inserting FW rules is network module.
Currently, when libvirtd is starting it reads all the configs of defined 
networks. If a NATed network is found then it creates those LIBVIRT-* 
chains and when the network is started then all the rules will be placed 
into those chains to not contaminate config set by sysadmin.
There is patch to postpone creating the chains unitl network actually is 
starting:

https://www.redhat.com/archives/libvir-list/2019-April/msg01547.html

So your options here are:

a) undefine all NATed networks (typically there's 'default' network)
b) uninstall network module (but this will render all domains using 
<interface type='network'/> unable to start).

As an extension to a) you can have a network with <forward mode='open'/> 
which preserves all the advantages of having a libvirt network but does 
not install any FW rules.

Of course, any comments to aforementioned patch are welcome too.

Michal

More information about the libvirt-users mailing list