Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: virt-manager networking without iptables binary?

  1. #1
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    virt-manager networking without iptables binary?

    Need to migrate from VirtualBox to virt-manager/KVM. Was able to install virt-manager, convert and boot some VDIs, but have been unable to make networking work in the VM.

    Many of the network types available in virt-manager seem to require iptables (despite documentation saying it can also work with firewalld and firewalld being installed and active). However, this system intentionally does not have any iptables binary installed, because my nftables-based firewall contains some rules that are incompatible with iptables. (If I understand correctly, firewalld sets up nftables rules that work alongside and after my main nftables firewall.)

    Host system is Xubuntu 22.04. Several guest types are involved, but at the moment I'm trying to make networking work on a Xubuntu 22.04 guest.

    With Bridge or Macvtap, the VM at least boots, but in neither case can I get networking working - NetworkManager in the guest just continuously tries and fails to connect.

    For Bridge I'm using nm-connection-editor to set up the bridge interface, and tried several different configurations. In case it's relevant, the host gets networking via Wi-Fi.

    Would like to achieve the effects of 3 networking types from VirtualBox:
    • NAT: for Internet access with traffic to/from the VM filtered by the host's firewall,
    • Bridged: for when the VM should act as another physical machine on the same network as the host, without the host's firewall applying to the VM's traffic,
    • Host-only networking: for cases where networking is needed to connect to something on the host or another VM, but where allowing Internet access would be unsafe.


    How to get these types of networking in virt-manager without having any iptables binary present on the system?

    Thanks for any help.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,699

    Re: virt-manager networking without iptables binary?

    I don't know how virt-manager configures firewall rules it needs, but I am sure that a recent virt-manager would be able to cope with a system using nftables. I suspect you are reading outdated descriptions of using virt-manager.
    This doc might prove informative: https://www.redhat.com/en/blog/using...linux-firewall

  3. #3
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    Sorry, should have specified that errors when using iptables-nft and iptables-translate are how I determined there is incompatibility and why need to keep this system pure-nftables-only.

    * For example:
    Code:
    $ sudo iptables -L -v
    iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
    Last edited by halogen2; February 24th, 2024 at 05:56 PM.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  4. #4
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,699

    Re: virt-manager networking without iptables binary?

    So there is already an nft rule configured that cannot be back-translated to iptables. I guess the answer to that is to use nftables rather than iptables - don't try to back-translate. If you are trying to follow guides that want you to user iptables commands, you will need to work out the equivalent nftables command to use.
    Last edited by The Cog; February 24th, 2024 at 10:37 PM.

  5. #5
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    The apparent iptables requirement is that virt-manager throws this error dialog when creating a virtual network, regardless of whether firewalld is installed and active -
    Code:
    Error creating virtual network: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: libvirt:  error : cannot execute binary /usr/sbin/iptables: No such file or directory
    
    
    Traceback (most recent call last):
      File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
        callback(asyncjob, *args, **kwargs)
      File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create
        netobj.create()
      File "/usr/lib/python3/dist-packages/libvirt.py", line 3470, in create
        raise libvirtError('virNetworkCreate() failed')
    libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: libvirt:  error : cannot execute binary /usr/sbin/iptables: No such file or directory
    Could have sworn this was happening on all virtual network types, but checking again now, the "Open" mode virtual network is now working without an iptables binary. And using the Open network allows me to ping the guest from the host.

    This has me wondering if the problem maybe that my nftables firewall rules are dropping too much for any type of virt-manager networking to function, i.e. there is no virt-manager network type where the VM networking is like just another application on the host, and I'm not yet familiar enough with virt-manager/libvirt to know what needs to be allowed? Think I need to do some experimenting with the host firewall to see to what extent it's interfering here.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  6. #6
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    Ok, with host firewall completely disabled, the Open network appears to be working as host-only networking, solving one of the 3 issues. How can I prove this network is really isolated to host-only, and not just not configured for available Internet or LAN access?
    Last edited by halogen2; February 25th, 2024 at 03:03 AM.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  7. #7
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,699

    Re: virt-manager networking without iptables binary?

    I grabbed a look at a machine at work, running Ubuntu 22.04. It had multiple VMs configured, each with a NIC in Isolated mode (and one with multiple NICs all in isolated mode). But I know these VMs are all able to communicate with each other and with the host. It seems that each isolated NIC is connected to one of several Virtual Bridges, so Isolated doesn't necessarily mean totally isolated.

    The host is running Ubuntu 22.04 and has iptables installed. iptables-save and iptables -nvL both work, so there are no nft-only rules in there. Interestingly, both iptables-save and nft list ruleset show rules, and I think they both show all the rules. It seems that iptables is installed, not any of the iptables-nftables hybrid packages. So is ufw. I think UFW is creating the nft rules.

    It may be that installing iptables would do it for you, even if you can only list the rules with nft. But I would suggest using the iptables-nft converter version. Your last post shows that virt-manager is using /usr/sbin/iptables to manipulate the rules, so I guess it won't mind using the iptables-nft version.

  8. #8
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by The Cog View Post
    It may be that installing iptables would do it for you, even if you can only list the rules with nft. But I would suggest using the iptables-nft converter version. Your last post shows that virt-manager is using /usr/sbin/iptables to manipulate the rules, so I guess it won't mind using the iptables-nft version.
    Unfortunately this doesn't work, virt-manager throws this error dialog -
    Code:
    Error creating virtual network: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
    
    
    
    Traceback (most recent call last):
      File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
        callback(asyncjob, *args, **kwargs)
      File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create
        netobj.create()
      File "/usr/lib/python3/dist-packages/libvirt.py", line 3470, in create
        raise libvirtError('virNetworkCreate() failed')
    libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.
    I was able to work around the error with sudo iptables -L -v by renaming my firewall table to something other than filter , which causes iptables to report an empty firewall (nft still reports all rules). However, virt-manager continues to throw this same error dialog even after the rename and sudo iptables -L -v is working.

    Was hoping that if any additional firewall rules are needed, they could be manually added using nft tool. Is there no way to get working networking in virt-manager without any iptables binary?
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  9. #9
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: virt-manager networking without iptables binary?

    I don't remember ever touching firewall rules to get KVM/QEMU VMs working.

    However, I always, ALWAYS, manually setup a bridge on the host OS and completely ignore all the other network options inside virt-manager.

    For example,
    Code:
    network:
      version: 2
      renderer: networkd
      ethernets:
        enp3s0:
          optional: true
          dhcp4: false
          dhcp6: false
      bridges:
        br0:
          dhcp4: false
          dhcp6: false
          interfaces: [enp3s0]
          addresses:
          - 172.22.22.6/24
          gateway4: 172.22.22.1
          nameservers:
            addresses:
            - 172.22.22.81
            - 172.22.22.80
    Think I made everything red that you definitely need to change for your network.

    Then I specify br0 in the VM settings for each VM and setup static IPs after the first boot which uses a DHCP from my limited range of DHCP IPs. Additionally, I'll set the MAC inside the VM to end with the same last 1 digits that the static, assigned, IP for the VM gets. then I go and up date my 2 internal DNS servers with that IP so every system on that subnet can find the VM.

    No IP tables anything involved ... er ... unless you want to add them inside the VM or for the hostOS, but those have nothing to due with each other. Those rules are just for the OS they are set inside.

    Don't use wifi for the host. Most wifi chips don't support bridging. And definitely don't use DHCP for the host either. That's just asking for trouble.
    Last edited by TheFu; February 25th, 2024 at 04:47 PM.

  10. #10
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by TheFu View Post
    Don't use wifi for the host. Most wifi chips don't support bridging.
    Ugh That explains it, thanks. Unfortunately neither the test host nor the future production host are physically located where a wired Internet connection is available, and changing this isn't feasible

    In trying to dig into what firewall rules virt-manager sets, in case manually creating them using nft might work, I noticed a critical sentence in libvirt documentation about firewalld that I had completely missed -
    libvirt's own rules outlined above will *always* be iptables rules regardless of which backend is in use by firewalld.
    So what is written here is unavoidable: the "iptables OR firewalld" dependency specification is incorrect, libvirt/virt-manager only works with iptables, it just happens to have some firewalld integration that has nothing to do with why it uses iptables. (Although since not every networking type requires iptables, maybe iptables should just be a Recommends, seems most virt-manager functionality works without it.)
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •