Controlling virsh filters right way

Alex Povolotsky

1/27/24, 11:19 PM

I'm running centos 7, lxc for containers, virsh for setting up a bridge.

Upon creation, virsh set up some firewall rules for virbr

# iptables-save | grep virbr
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

I've read all I could google but I could not find a correct way to enable, say, icmp, ssh and http.

I can easily done it manually (and repeat after each reboot), I can even patch it somewhere into some random script file; but is there any way to properly control nwfilters? I can list them, edit, dump... but can't USE!

0 + 3

firewall

lxc

virsh

larsks

1/28/24, 1:48 PM

I apologize; I misread your question. If you're *only* using virsh to set up the bridge, you can't use libvirt network filters -- they apply to individual virtual machines, so if you're not starting vms, they're of no use. I would suggest using the standard network configuration scripts for setting up the bridge instead of libvirt (`/etc/sysconfig/network-scripts`). You can create persistent firewall rules byinstalling `iptables-services` and editing `/etc/sysconfig/iptables`, but these are global, not per-container.

larsks

1/28/24, 1:49 PM

For most container runtimes (e.g., docker, podman), per-container service access is managed via port-forwarding. I'm not sure if LXC has a similar facility.

Alex Povolotsky

1/29/24, 6:01 PM

That's becoming more clear. I should either use virsh for BOTH network and container setup, or resort to global solution. Well then: where does virsh get its default rules? I'd just patch them for now.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Controlling virsh filters right way

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.