Bug 50983 – univention-firewall breaks libvirt default network using NAT

Bug 50983 - univention-firewall breaks libvirt default network using NAT


Summary:	univention-firewall breaks libvirt default network using NAT

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Firewall (univention-firewall)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:	53673
	Show dependency tree / graph

Reported:	2020-03-21 16:40 CET by Philipp Hahn
Modified:	2022-05-04 10:38 CEST (History)
CC List:	3 users (show)

See Also:	ucs444images
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2020-03-21 16:40:41 CET

libvirt declares the "default" network (virsh net-dumpxml default), which uses NAT and DNSMASQ by default. When the network is started (virst net-start default) iptable rules are added to `-t nat`.

# diff -u2 ipt.before ipt.after 
--- ipt.before  2020-03-21 16:05:13.730017645 +0100
+++ ipt.after   2020-03-21 16:06:03.308907556 +0100
@@ -12,4 +12,9 @@
 Chain POSTROUTING (policy ACCEPT)
 target     prot opt source               destination         
+RETURN     all  --  192.168.122.0/24     base-address.mcast.net/24 
+RETURN     all  --  192.168.122.0/24     255.255.255.255     
+MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
+MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
+MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
 MASQUERADE  all  --  172.17.0.0/16        anywhere            

Runnning `/etc/init.d/univention-firewall restart` flushes all rules; after that the default network no longer does NAT and is unable to communicate with external  addresses.

> /etc/security/packetfilter.d/10_univention-firewall_start.sh:41:iptables --wait -F -t nat

This happens each time when `univention-firewall` is upgraded as this stops/starts the firewall via prerm/postinst.

Comment 1 Philipp Hahn

2020-05-19 11:10:35 CEST

Again broken network on lagan:

# iptables -L -v --line
Chain INPUT (policy ACCEPT 222K packets, 47M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     211K   49M ACCEPT     all  --  lo     any     anywhere             anywhere            
2     681M  111G ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3    20477 1720K ACCEPT     icmp --  any    any     anywhere             anywhere            
4        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:6670
5       95  5552 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
6     111K 6675K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:nrpe
7      102  6120 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:16514
8        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpts:32765:32769
9     6824  519K ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:ntp
10       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:sunrpc
11       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:32765:32769
12       1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
13       0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:sunrpc
14       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:kshell
15       1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
16      28  1120 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:49152:49215
17       0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:nfs
18     131  7840 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpts:5900:5999
19       0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:nfs
20       0     0 ACCEPT     tcp  --  any    any     172.17.0.0/16        anywhere             tcp dpt:mysql
21       0     0 ACCEPT     tcp  --  any    any     172.16.0.0/16        anywhere             tcp dpt:mysql
22       0     0 ACCEPT     tcp  --  any    any     172.17.0.0/16        anywhere             tcp dpt:mysql
23       0     0 ACCEPT     tcp  --  any    any     172.16.0.0/16        anywhere             tcp dpt:mysql
24       0     0 ACCEPT     tcp  --  any    any     172.17.0.0/16        anywhere             tcp dpt:mysql
25       0     0 ACCEPT     tcp  --  any    any     172.16.0.0/16        anywhere             tcp dpt:mysql
26       0     0 ACCEPT     tcp  --  any    any     172.17.0.0/16        anywhere             tcp dpt:mysql
27       0     0 ACCEPT     tcp  --  any    any     172.16.0.0/16        anywhere             tcp dpt:mysql
28       0     0 ACCEPT     tcp  --  any    any     172.17.0.0/16        anywhere             tcp dpt:mysql
29       0     0 ACCEPT     tcp  --  any    any     172.16.0.0/16        anywhere             tcp dpt:mysql
30       0     0 ACCEPT     tcp  --  any    any     172.17.0.0/16        anywhere             tcp dpt:mysql
31       0     0 ACCEPT     tcp  --  any    any     172.16.0.0/16        anywhere             tcp dpt:mysql
32       0     0 ACCEPT     tcp  --  any    any     172.17.0.0/16        anywhere             tcp dpt:mysql
33       0     0 ACCEPT     tcp  --  any    any     172.16.0.0/16        anywhere             tcp dpt:mysql
34       0     0 ACCEPT     tcp  --  any    any     172.17.0.0/16        anywhere             tcp dpt:mysql
35       0     0 ACCEPT     tcp  --  any    any     172.16.0.0/16        anywhere             tcp dpt:mysql

Chain FORWARD (policy ACCEPT 8548K packets, 4429M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    8548K 4429M DOCKER-USER  all  --  any    any     anywhere             anywhere            
2    8548K 4429M DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
3    8548K 4429M DOCKER-USER  all  --  any    any     anywhere             anywhere            
4    8548K 4429M DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
5    8548K 4429M DOCKER-USER  all  --  any    any     anywhere             anywhere            
6    8548K 4429M DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
7     115M   40G DOCKER-USER  all  --  any    any     anywhere             anywhere            
8     115M   40G DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
9     180M   59G DOCKER-USER  all  --  any    any     anywhere             anywhere            
10    180M   59G DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
11    180M   59G DOCKER-USER  all  --  any    any     anywhere             anywhere            
12    180M   59G DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
13    278M   90G DOCKER-USER  all  --  any    any     anywhere             anywhere            
14    278M   90G DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
15    322M  108G DOCKER-USER  all  --  any    any     anywhere             anywhere            
16    322M  108G DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
17       0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
18       0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
19       0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
20       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
21       0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
22       0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
23       0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
24       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
25       0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
26       0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
27       0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
28       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
29       0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
30       0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
31       0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
32       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
33       0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
34       0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
35       0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
36       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
37       0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
38       0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
39       0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
40       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
41       0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
42       0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
43       0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
44       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
45       0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
46       0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
47       0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
48       0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 69M packets, 52G bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     211K   49M ACCEPT     all  --  any    lo      anywhere             anywhere            

Chain DOCKER (8 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (8 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
2    1101M  371G RETURN     all  --  any    any     anywhere             anywhere            
3        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
4        0     0 RETURN     all  --  any    any     anywhere             anywhere            
5        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
6        0     0 RETURN     all  --  any    any     anywhere             anywhere            
7        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
8        0     0 RETURN     all  --  any    any     anywhere             anywhere            
9        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
10       0     0 RETURN     all  --  any    any     anywhere             anywhere            
11       0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
12       0     0 RETURN     all  --  any    any     anywhere             anywhere            
13       0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
14       0     0 RETURN     all  --  any    any     anywhere             anywhere            
15       0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
16       0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (8 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  any    docker0  anywhere             anywhere            
2        0     0 RETURN     all  --  any    any     anywhere             anywhere            
3        0     0 DROP       all  --  any    docker0  anywhere             anywhere            
4        0     0 RETURN     all  --  any    any     anywhere             anywhere            
5        0     0 DROP       all  --  any    docker0  anywhere             anywhere            
6        0     0 RETURN     all  --  any    any     anywhere             anywhere            
7        0     0 DROP       all  --  any    docker0  anywhere             anywhere            
8        0     0 RETURN     all  --  any    any     anywhere             anywhere            
9        0     0 DROP       all  --  any    docker0  anywhere             anywhere            
10       0     0 RETURN     all  --  any    any     anywhere             anywhere            
11       0     0 DROP       all  --  any    docker0  anywhere             anywhere            
12       0     0 RETURN     all  --  any    any     anywhere             anywhere            
13       0     0 DROP       all  --  any    docker0  anywhere             anywhere            
14       0     0 RETURN     all  --  any    any     anywhere             anywhere            
15       0     0 DROP       all  --  any    docker0  anywhere             anywhere            
16       0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-USER (8 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    1101M  371G RETURN     all  --  any    any     anywhere             anywhere            
2        0     0 RETURN     all  --  any    any     anywhere             anywhere            
3        0     0 RETURN     all  --  any    any     anywhere             anywhere            
4        0     0 RETURN     all  --  any    any     anywhere             anywhere            
5        0     0 RETURN     all  --  any    any     anywhere             anywhere            
6        0     0 RETURN     all  --  any    any     anywhere             anywhere            
7        0     0 RETURN     all  --  any    any     anywhere             anywhere            
8        0     0 RETURN     all  --  any    any     anywhere             anywhere            

# iptables -t nat -v --line-numbers -L
Chain PREROUTING (policy ACCEPT 406K packets, 68M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     139K 8963K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
2     116K 7453K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
3    77528 4996K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
4    77528 4996K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
5    56927 3665K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
6    15910 1024K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
7    15910 1024K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL
8    15910 1024K DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 46993 packets, 6961K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 31545 packets, 2130K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL
2        0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL
3        0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL
4        0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL
5        0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL
6        0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL
7        0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL
8        0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 272K packets, 40M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
2        0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
3        0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
4        0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
5        0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
6        0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
7        0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            
8        0     0 MASQUERADE  all  --  any    !docker0  172.17.0.0/16        anywhere            

Chain DOCKER (16 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
2        0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
3        0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
4        0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
5        0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
6        0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
7        0     0 RETURN     all  --  docker0 any     anywhere             anywhere            
8        0     0 RETURN     all  --  docker0 any     anywhere             anywhere

Comment 2 Philipp Hahn

2022-05-04 09:33:34 CEST

From <https://libvirt.org/firewall.html>:
> Instead we document that if you run `service iptables restart`, you need to send SIGHUP to libvirt to make it recreate its rules.

Comment 3 Philipp Hahn

2022-05-04 10:38:16 CEST

https://git.knut.univention.de/univention/ucs/-/merge_requests/369