DEV Community

David Foley
David Foley

Posted on

libvirt network forwarding inconsistencies

#linux #firewalld #libvirt #lxc

In an INCUS container on a KVM guest, ping commands are successful when executed on the container, but not when the are executed from the host on the other end.

TL;DR

  • Change the libvirt virtual bridge forwarding mode to "open"

The Problem

Consider a scenario where there is a group of physical servers connected to a core router. On one of the servers a KVM guest is running, which in turn is a host for some INCUS containers. Various virtual bridges, firewalls and subnets are implicated in providing connectivity to the INCUS containers. Everything is verified to be configured correctly from the virtualisation to the routing.

A given INCUS guest can initiaite successful ICMP pings to:

  • KVM guests on the same physical host
  • Physical hosts external to it's own.
  • The core router

However, ICMP pings intiated on any device external to the container's own physical server do not succeed. In other words: ping command are successful when executed on the container, but not when the are executed from the host on the other end.

This is an inconsistent result and completely unintuitive.

The root cause can be attributed to the libvirt virtual network forwarding mode and a misunderstanding about what mode was appropriate for my environment. I was using libvirt's forward mode "route", where "guest network traffic [is] forwarded to the physical network via the host's IP routing stack, but without having NAT applied.". The documentation does not mention that libivrt firewall rules are added which interferes with the traffic described above.

The Solution

The solution is to use libvirt's "open" forwarding mode: "As with mode='route', guest network traffic will be forwarded to the physical network via the host's IP routing stack, but there will be no firewall rules added to either enable or prevent any of this traffic."

Step 1: Open the editor the XML definition for your virtual network bridge

On your KVM host, run the following command to begin editing the XML definition for your virtual network bridge.

sudo virsh net-edit kvm_virbr0
Enter fullscreen mode Exit fullscreen mode


`

Explanation:

  • virsh is the command to manipulate libvirt
  • net-edit is the sub-command to edit networks managed libvirt
  • kvm_virbr0 is the name of the virtual network bridge to which my KVM guests connect to. Adjust where appropriate and your network name differs.

Step 2: Change the forwarding mode

Edit the XML definition so that the forward mode = "open" as in the this example:


<network>
<name>kvm_virbr0</name>
<uuid>345a0dcc-4f89-4f7f-xcv3-160d1145837c</uuid>
<forward mode='open'/>

Save the file and close the editor.

Step 3: Restart the virtual network bridge

There is much advice on how to do this across the internet, the only reliable method I have found is to restart the computer.

Links

Credits

This article was first posted at https://www.dfoley.ie/blog/libvirt-network-forwarding-inconsistencies #indieweb #posse

Top comments (0)