Migrating from libvirt + iptables to libvirt + nftables

debian-busterfirewalldkvm-virtualizationlibvirtnftables

I'm about to migrate a Debian Stretch host using qemu-kvm to Debian Buster.

I've seen people complaining on the Internet about issues due to nftables becoming default in place of iptables and libvirt using iptables rules. Rules automatically written by libvirt are not understood by nftables.

I can move back to iptables after the upgrade if needed:

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Would that be enough to get my system running?

From the docs and this GH comment firewalld support was added in libvirt 5.1.0. And it is unclear to me whether the minimal firewalld version required for the whole thing to work is 0.6.0 or 0.7.0.

Here are the versions shipped by Debian:

firewalld

  • stretch 0.4.4.2-1
  • buster 0.6.3-5
  • bullseye 0.7.2-1

libvirt-daemon

  • stretch 3.0.0-4+deb9u4
  • buster 5.0.0-4
  • bullseye 5.6.0-2

So I guess things should be fine in bullseye. Except for the existing rules.

Is the following plan the way to go?

  • Migrate to Buster and stick to iptables using the update-alternatives trick above.

  • When Bullseye is out, migrate and stick to iptables for now.

  • Translate rules manually and migrate to nftables later.

Edit:

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# Local network
auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
    bridge_ports eth0
    bridge_maxwait 0
    address 192.168.10.27
    netmask 255.255.255.0
    gateway 192.168.10.1
    dns-nameservers 192.168.10.8 192.168.1.9 8.8.8.8
    dns-domain my_domain.local
    dns-search my_domain.local

# External network
auto eth1
iface eth1 inet manual

auto br1
iface br1 inet manual
    bridge_ports eth1
    bridge_maxwait 0

Best Answer

The strategy I have taken on this is to migrate the filtering rules used for VMs from nftables to libvirt's nwfilter rules. The effect of this is that libvirt manages iptables filters. In effect this is a downgrade from nftables to iptables, but my hope is that libvirt will support a later migration to nftables.

Documentation here: https://libvirt.org/formatnwfilter.html

Related Topic