# qemu/virt-manager and nftables [solved]

## mani001

Hi,

I'm trying to migrate from iptables to nftables but can't get internet access in qemu (through virt-manager). I (e)selected `xtables-nft-multi` as iptables backend and when I run 

```
systemctl start libvirtd
```

and then

```
nft list ruleset
```

I can see a bunch of rules added to my (vanilla) "ruleset"

 *Quote:*   

> table ip filter {
> 
>         chain LIBVIRT_INP {
> 
>         }
> ...

 

but still don't have internet access from my Windows guest inside qemu. Any clues?

Cheers.Last edited by mani001 on Wed Oct 12, 2022 11:16 am; edited 1 time in total

----------

## pa4wdh

I don't think your nftables is the problem, these rules do absolutely nothing, everything is allowed.

How are you testing the network connectivity? Be aware that if you use the "user" netdev in qemu ping doesn't work from/to guests, that's a limitation of the "user" netdev and does not indicate a problem with the host or the guest.

----------

## mani001

Thanks for the quick reply!!

Inside the Windows guest I'm just using a browser (Edge) to try and connect to some webpage and get an error (network not available or something of the sorts). If I go back to iptables, then it works like a charm.

About the rules...you are probably right. I hadn't even though about it: those are just the rules added by "libvirt". Besides those rules, I have some more along these lines (with minor modifications for the sake of privacy):

```
table inet filter {

        chain input {

                type filter hook input priority filter; policy drop;

                ct state invalid counter packets 136 bytes 8244 drop comment "early drop of invalid packets"

                ct state { established, related } counter packets 1007215 bytes 197409220 accept comment "accept all connections related to connections made by us"

                iif "lo" accept comment "accept loopback"

                iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"

                ip protocol icmp counter packets 0 bytes 0 accept comment "accept all ICMP types"

                tcp dport 1234 accept comment "accept VPN TCP"

                udp dport 1234 accept comment "accept VPN UDP"

                iifname "tun0" accept comment "accept within VPN"

                counter packets 695 bytes 205764 comment "count dropped packets"

}
```

but I don't think these should have any effect on qemu/libvirt

----------

## pa4wdh

Does libvirt add any rules when you start the VM? Depending on the configuration you may want/need some rules in the forward and/or nat chains.

A bit more information about how it fails would also help. Does it resolve the hostname correctly? Or does it timeout?

You could manually try to connect to some site and see what happens. I don't have a clue how to do that in windoze but on linux i'd use netcat/telnet or openssl to do that.

An other way to diagnose is to run tcpdump on the host to see if you can see the VM's network traffic.

----------

## mani001

Sorry for the delay... You are right, it's too little information. A little bit more:

No, starting the VM doesn't modify the rules.

I don't think DNS is working: when I type

```
ping www.google.com
```

it says "couldn't find the host www.google...."

Windows diagnosing tools says "Ethernet doesn't have a valid IP setup" (and isn't able to fix it).

I tried listening with tcpdump to both virbr0

```
root@cochi ~ $tcpdump -i virbr0

dropped privs to pcap

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on virbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

19:42:36.458723 IP 169.254.160.213.61076 > 239.255.255.250.1900: UDP, length 174

19:42:37.460373 IP 169.254.160.213.61076 > 239.255.255.250.1900: UDP, length 174

19:42:38.461498 IP 169.254.160.213.61076 > 239.255.255.250.1900: UDP, length 174

19:42:39.475182 IP 169.254.160.213.61076 > 239.255.255.250.1900: UDP, length 174

^C

4 packets captured

4 packets received by filter

0 packets dropped by kernel
```

and vnet0 interfaces

```
root@cochi ~ $tcpdump -i vnet0

dropped privs to pcap

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on vnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

19:43:01.325252 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35

19:43:03.309251 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35

19:43:05.293286 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35

19:43:07.341251 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35

19:43:09.325252 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35

19:43:11.309284 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35

19:43:13.293282 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35

19:43:15.341253 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:34:ed:a2.8001, length 35

^C

8 packets captured

8 packets received by filter

0 packets dropped by kernel
```

----------

## mani001

Long time, but in case anyone else is struggling with this...following some hints from this thread

https://forums.gentoo.org/viewtopic-t-1148450-highlight-nftables+qemu.html?sid=b7116aa6a5c66d12890a1bd2418ced34

, the rules below (plus whatever else you need) did it for me

```
define qemu_bridge_if = "virbr0"

table ip nat {

   chain postrouting {

      type nat hook postrouting priority 100; policy accept;

      

      # "masquerade" means the servers to which one connects from the VM can't tell packets are coming from the latter

      ip saddr 192.168.122.0/24 masquerade

   }

}

table inet filter {

   # "input" is the name of the chain

   chain input {

      

      # -------------------------------- qemu

      iifname $qemu_bridge_if accept  comment "accept from virtual VM"

      

      # packets that reach here are bound to be dropped

      counter comment "count dropped packets"

   }

   chain forward {

      type filter hook forward priority 0; policy drop;

      

      # -------------------------------- qemu

      iifname $qemu_bridge_if accept  comment "accept VM interface as input"

      oifname $qemu_bridge_if accept comment "accept VM interface as output"

      

      counter comment "count dropped packets"

   }

}

```

192.168.122.0/24 being the subnet setup spanned by qemu.

----------

