libvirt nftables configuration for open networks
Created at:
/ Last updated at:
Libvirt creates a default network that is in NAT mode. If this network is used, it will automatically update the firewall rules. This is not always desired. Fortunately, the rule generation can be disabled completely.
First disable the default network:
virsh net-destroy default
virsh net-autostart --network default --disableThen, create a new network with an open configuration (in this example using 10.0.0.0/24 as the VM network):
<network>
<name>vmnet1</name>
<uuid>2a2fd9fe-eac2-41d0-8ee2-40384809d86a</uuid>
<forward mode='open'/>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:67:ed:9a'/>
<domain name='vmnet1' localOnly='yes'/>
<dns>
<host ip='10.1.0.1'>
<hostname>gateway</hostname>
</host>
</dns>
<ip address='10.1.0.1' netmask='255.255.255.0' localPtr='yes'>
</ip>
</network>And update the nftables rules to NAT towards the outgoing interface:
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
iifname virbr1 oifname $wan_interface accept
}
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.1.0.0/24 iifname virbr1 oifname $wan_interface masquerade
}Note that for this to work IP forwarding needs to be enabled