firewalld and the virtual network driver
If firewalld is active on the host, libvirt will attempt to place the bridge interface of a libvirt virtual network into the firewalld zone named "libvirt" (thus making all guest->host traffic on that network subject to the rules of the "libvirt" zone). This is done because, if firewalld is using its nftables backend (available since firewalld 0.6.0) the default firewalld zone (which would be used if libvirt didn't explicitly set the zone) prevents forwarding traffic from guests through the bridge, as well as preventing DHCP, DNS, and most other traffic from guests to host. The zone named "libvirt" is installed into the firewalld configuration by libvirt (not by firewalld), and allows forwarded traffic through the bridge as well as DHCP, DNS, TFTP, and SSH traffic to the host - depending on firewalld's backend this will be implemented via either iptables or nftables rules. libvirt's own rules outlined above will *always* be iptables rules regardless of which backend is in use by firewalld.
Source: https://libvirt.org/firewall.html#fi...network-driver
Mine are very basic on this set-up:
Code:
virsh nwfilter-list
UUID Name
-----------------------------------------------------------------
606d786b-10b0-4b1b-98f5-5dea9326ae97 allow-arp
a7746631-2e20-46b3-86bc-b4c5fe4a1208 allow-dhcp
d6588fc2-7874-4fb1-9ffd-17f94237e344 allow-dhcp-server
7bb6a34e-6bb1-49e1-9f41-3adb75c2fb00 allow-dhcpv6
e94b5dba-bff1-404b-9170-0631d5d84739 allow-dhcpv6-server
9f479bf2-a47e-43cd-a784-870d202809c1 allow-incoming-ipv4
43a2ca94-f098-472e-9a33-051e225bd885 allow-incoming-ipv6
6aff8004-39c2-4205-a159-8f002484cff1 allow-ipv4
fe48d5f0-07eb-4e98-bfb6-2985489b7ace allow-ipv6
4847be07-2989-4eaa-90e8-51cc39c66c17 clean-traffic
75d7b236-d527-45fd-9413-977f8e242bf6 clean-traffic-gateway
a4a834c7-a867-4473-a517-bc6e77897c7a no-arp-ip-spoofing
8bb99a08-63e1-4b48-b999-32ba9844f642 no-arp-mac-spoofing
efeed4c9-0534-4c86-b428-b94b7d4e8b88 no-arp-spoofing
0f98375e-de17-4c97-a0ad-daf79837aa1a no-ip-multicast
d51bb497-5596-41f8-b5ef-cafc740a14b9 no-ip-spoofing
3c5f7c58-7e35-4c37-b943-02e7fd9102f0 no-ipv6-multicast
a65c5c5a-6364-4935-b9fa-94415e9995eb no-ipv6-spoofing
3daac86c-d45b-4583-a670-a4932d8711ca no-mac-broadcast
111a1ae2-2e2d-4696-970c-cb675198d3ee no-mac-spoofing
f2a7c870-2c7d-4f46-ad37-d83308af4f44 no-other-l2-traffic
62e36467-17c3-4b1f-809f-89a361842d27 no-other-rarp-traffic
dab30a8f-4ad2-4784-8f47-70dc5f6a25a0 qemu-announce-self
b96ed81f-117a-430d-9181-ac33b7c3a70f qemu-announce-self-rarp
From the host.
Bookmarks