virt-manager networking without iptables binary?

[halogen2]

Need to migrate from VirtualBox to virt-manager/KVM. Was able to install virt-manager, convert and boot some VDIs, but have been unable to make networking work in the VM.

Many of the network types available in virt-manager seem to require iptables (despite documentation saying it can also work with firewalld and firewalld being installed and active). However, this system intentionally does not have any iptables binary installed, because my nftables-based firewall contains some rules that are incompatible with iptables. (If I understand correctly, firewalld sets up nftables rules that work alongside and after my main nftables firewall.)

Host system is Xubuntu 22.04. Several guest types are involved, but at the moment I'm trying to make networking work on a Xubuntu 22.04 guest.

With Bridge or Macvtap, the VM at least boots, but in neither case can I get networking working - NetworkManager in the guest just continuously tries and fails to connect.

For Bridge I'm using nm-connection-editor to set up the bridge interface, and tried several different configurations. In case it's relevant, the host gets networking via Wi-Fi.

Would like to achieve the effects of 3 networking types from VirtualBox:

• NAT: for Internet access with traffic to/from the VM filtered by the host's firewall,
• Bridged: for when the VM should act as another physical machine on the same network as the host, without the host's firewall applying to the VM's traffic,
• Host-only networking: for cases where networking is needed to connect to something on the host or another VM, but where allowing Internet access would be unsafe.

How to get these types of networking in virt-manager without having any iptables binary present on the system?

Thanks for any help.

[The Cog]

I don't know how virt-manager configures firewall rules it needs, but I am sure that a recent virt-manager would be able to cope with a system using nftables. I suspect you are reading outdated descriptions of using virt-manager.
This doc might prove informative: https://www.redhat.com/en/blog/using...linux-firewall

[halogen2]

Sorry, should have specified that errors when using iptables-nft and iptables-translate are how I determined there is incompatibility and why need to keep this system pure-nftables-only.

* For example:

Code:

$ sudo iptables -L -v
iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.

[The Cog]

So there is already an nft rule configured that cannot be back-translated to iptables. I guess the answer to that is to use nftables rather than iptables - don't try to back-translate. If you are trying to follow guides that want you to user iptables commands, you will need to work out the equivalent nftables command to use.

[halogen2]

The apparent iptables requirement is that virt-manager throws this error dialog when creating a virtual network, regardless of whether firewalld is installed and active -

Code:

Error creating virtual network: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: libvirt:  error : cannot execute binary /usr/sbin/iptables: No such file or directory


Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create
    netobj.create()
  File "/usr/lib/python3/dist-packages/libvirt.py", line 3470, in create
    raise libvirtError('virNetworkCreate() failed')
libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: libvirt:  error : cannot execute binary /usr/sbin/iptables: No such file or directory

Could have sworn this was happening on all virtual network types, but checking again now, the "Open" mode virtual network is now working without an iptables binary. And using the Open network allows me to ping the guest from the host.

This has me wondering if the problem maybe that my nftables firewall rules are dropping too much for any type of virt-manager networking to function, i.e. there is no virt-manager network type where the VM networking is like just another application on the host, and I'm not yet familiar enough with virt-manager/libvirt to know what needs to be allowed? Think I need to do some experimenting with the host firewall to see to what extent it's interfering here.

[halogen2]

Ok, with host firewall completely disabled, the Open network appears to be working as host-only networking, solving one of the 3 issues. How can I prove this network is really isolated to host-only, and not just not configured for available Internet or LAN access?

[The Cog]

I grabbed a look at a machine at work, running Ubuntu 22.04. It had multiple VMs configured, each with a NIC in Isolated mode (and one with multiple NICs all in isolated mode). But I know these VMs are all able to communicate with each other and with the host. It seems that each isolated NIC is connected to one of several Virtual Bridges, so Isolated doesn't necessarily mean totally isolated.

The host is running Ubuntu 22.04 and has iptables installed. iptables-save and iptables -nvL both work, so there are no nft-only rules in there. Interestingly, both iptables-save and nft list ruleset show rules, and I think they both show all the rules. It seems that iptables is installed, not any of the iptables-nftables hybrid packages. So is ufw. I think UFW is creating the nft rules.

It may be that installing iptables would do it for you, even if you can only list the rules with nft. But I would suggest using the iptables-nft converter version. Your last post shows that virt-manager is using /usr/sbin/iptables to manipulate the rules, so I guess it won't mind using the iptables-nft version.

[halogen2]

It may be that installing iptables would do it for you, even if you can only list the rules with nft. But I would suggest using the iptables-nft converter version. Your last post shows that virt-manager is using /usr/sbin/iptables to manipulate the rules, so I guess it won't mind using the iptables-nft version.

Unfortunately this doesn't work, virt-manager throws this error dialog -

Code:

Error creating virtual network: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.



Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/createnet.py", line 428, in _async_net_create
    netobj.create()
  File "/usr/lib/python3/dist-packages/libvirt.py", line 3470, in create
    raise libvirtError('virNetworkCreate() failed')
libvirt.libvirtError: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --list-rules: iptables v1.8.7 (nf_tables): table `filter' is incompatible, use 'nft' tool.

I was able to work around the error with sudo iptables -L -v by renaming my firewall table to something other than filter , which causes iptables to report an empty firewall (nft still reports all rules). However, virt-manager continues to throw this same error dialog even after the rename and sudo iptables -L -v is working.

Was hoping that if any additional firewall rules are needed, they could be manually added using nft tool. Is there no way to get working networking in virt-manager without any iptables binary?

[TheFu]

I don't remember ever touching firewall rules to get KVM/QEMU VMs working.

However, I always, ALWAYS, manually setup a bridge on the host OS and completely ignore all the other network options inside virt-manager.

For example,

Code:

network:
  version: 2
  renderer: networkd
  ethernets:
    enp3s0:
      optional: true
      dhcp4: false
      dhcp6: false
  bridges:
    br0:
      dhcp4: false
      dhcp6: false
      interfaces: [enp3s0]
      addresses:
      - 172.22.22.6/24
      gateway4: 172.22.22.1
      nameservers:
        addresses:
        - 172.22.22.81
        - 172.22.22.80

Think I made everything red that you definitely need to change for your network.

Then I specify br0 in the VM settings for each VM and setup static IPs after the first boot which uses a DHCP from my limited range of DHCP IPs. Additionally, I'll set the MAC inside the VM to end with the same last 1 digits that the static, assigned, IP for the VM gets. then I go and up date my 2 internal DNS servers with that IP so every system on that subnet can find the VM.

No IP tables anything involved ... er ... unless you want to add them inside the VM or for the hostOS, but those have nothing to due with each other. Those rules are just for the OS they are set inside.

Don't use wifi for the host. Most wifi chips don't support bridging. And definitely don't use DHCP for the host either. That's just asking for trouble.

[halogen2]

Don't use wifi for the host. Most wifi chips don't support bridging.

Ugh That explains it, thanks. Unfortunately neither the test host nor the future production host are physically located where a wired Internet connection is available, and changing this isn't feasible

In trying to dig into what firewall rules virt-manager sets, in case manually creating them using nft might work, I noticed a critical sentence in libvirt documentation about firewalld that I had completely missed -

libvirt's own rules outlined above will *always* be iptables rules regardless of which backend is in use by firewalld.

So what is written here is unavoidable: the "iptables OR firewalld" dependency specification is incorrect, libvirt/virt-manager only works with iptables, it just happens to have some firewalld integration that has nothing to do with why it uses iptables. (Although since not every networking type requires iptables, maybe iptables should just be a Recommends, seems most virt-manager functionality works without it.)