[Bug 1214160] New: libvirt-routed firewalld zone not functional
https://bugzilla.suse.com/show_bug.cgi?id=1214160 Bug ID: 1214160 Summary: libvirt-routed firewalld zone not functional Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: x86-64 OS: openSUSE Leap 15.5 Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Other Assignee: virt-bugs@suse.de Reporter: rombert@apache.org QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- After a recent update of my virtual machines host (sorry for being fuzzy) I started seeing connections being dropped between the VMs and the host, specifically NFS. The interfaces are assigned to the libvirt-routed interface contributed by libvirt-daemon-driver-network. # firewall-cmd --get-active-zones (...) libvirt-routed interfaces: kubic-net-br virbr1 # rpm -qf /usr/lib/firewalld/zones/libvirt-routed.xml libvirt-daemon-driver-network-9.0.0-150500.6.11.1.x86_64 Once enabling firewalld dropped packages logging I see log entries such as Aug 10 13:08:02 vmhost002 kernel: "filter_IN_policy_libvirt-to-host_REJECT: "IN=virbr1 OUT= MAC=52:54:00:33:68:12:52:54:00:ce:5c:25:08:00 SRC=10.25.1.6 DST=10.25.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54291 DF PROTO=TCP SPT=943 DPT=2049 WINDOW=64240 RES=0x00 SYN URGP=0 The nfs service should be allowed # firewall-cmd --info-zone=libvirt-routed | grep services services: http mountd mysql nfs rpc-bind # firewall-cmd --info-service=nfs nfs ports: 2049/tcp protocols: source-ports: modules: destination: includes: helpers: What is worrying me and pointing to a bug are the following messages from the system journal which point to the firewalld zone not being functional Aug 09 13:12:36 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'RUNNING', False, 'public', {'nf_nat_tftp': 4}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Aug 09 13:12:36 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'RUNNING', False, 'public', {'nf_nat_tftp': 4}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Aug 09 13:13:33 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'INIT', False, 'public', {}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Aug 09 13:13:33 vmhost002 firewalld[17692]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'INIT', False, 'public', {'nf_nat_tftp': 1}, [], True, True, True, False, 'all')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones Happy to provide more information if needed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1214160 https://bugzilla.suse.com/show_bug.cgi?id=1214160#c11 Roy Bellingan <admin@seisho.us> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |admin@seisho.us --- Comment #11 from Roy Bellingan <admin@seisho.us> --- firewalld noob here. In my case I upgraded from 15.2 to 15.5 as after 2 year the libvirt and firewalld combo started to misbehave badly. In my case the error manifest as firewalld[6760]: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'>(True, True, True, 'INIT', False, 'public', {'nf_nat_ftp': 2}, [], True, True, True, False, 'off')>(()) failed: INVALID_ZONE: 'libvirt-routed' not among existing zones And looks like is no longer possible in my case to have nat port forwarding. Rules like firewall-cmd --permanent --add-forward-port=port=2302:proto=udp:toaddr=192.168.100.223:toport=2302 simply vanish when querying iptables-save (which is not showing many many other things btw), same for iptables -L -v -n -t nat. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1214160 https://bugzilla.suse.com/show_bug.cgi?id=1214160#c12 --- Comment #12 from Roy Bellingan <admin@seisho.us> --- Sorry, forget to add I tried to update to libvirt-9.7.0-Virt.150500.1084.1.x86_64, but same error. firewall-cmd --version 0.9.3 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1214160 Marius Kittler <marius.kittler@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |marius.kittler@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1214160 https://bugzilla.suse.com/show_bug.cgi?id=1214160#c14 --- Comment #14 from Marius Kittler <marius.kittler@suse.com> --- Note that this is still an issue. We are seeing these errors a lot on openQA worker hosts (the infrastructure we run openQA tests on) and they are rather distracting (see https://progress.opensuse.org/issues/155848). Any ideas how to workaround this? Is there an upstream issue about it? When it comes to reproducing: I think all one has to do it having the `libvirt-daemon-driver-network` package installed while also have `firewalld.service` enabled/running. Then the errors are quite apparent in the service's journal. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1214160 https://bugzilla.suse.com/show_bug.cgi?id=1214160#c16 --- Comment #16 from Roy Bellingan <admin@seisho.us> --- I am using tumbleweed (last version as of 2024-0-04), also tried on a 15.5 on my live server and same behaviour. In short libvirt redid several time the config reset the system whatever, never works. LXD forwarding works on the first try. **** I retried the network setup and if I want to forward into a libvirtd managed instance if keeps failing (currently bypassing the problem using socat, but it does not perform ip rewrite so is a problem) I also tried to nat into a LXD container and is working fine for this one... The command I use to create the nat rule is the classic (this one below if for the lxd container, the other I just change the ip) firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="192.168.178.2" forward-port port="1201" protocol="tcp" to-port="1201" to-addr="10.29.49.148"' --permanent When I try to access the libvirt one wireshark report a ICMP response Destination unreachable (Port unreachable) The response looks like is generated NOT on the libvirt interface (if I put wireshark listening here I have nothing) but on the eth0 one If I remove the NAT rule (and start nc) it will work fine. So is the firewall that goes crazy when the rule is present... ? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com