Hi list,
I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled firewalld. I noticed that a default policy is created with tables and chains probably for firewalld.
So I created a .nft script where I stored my rules with a flush for previous ruleset, then saved on /etc/sysconfig/nftables.conf and the enabled nftables service.
Running the script with nft -f script.nft all work as expected but when rebooting, running nft list ruleset I find my rules and the default policy (chains and tables) that I would not have in my configuration.
My nftables.conf contains only my ruleset.
For example, running nft list tables I found several default tables like:
table ip filter table ip6 filter table bridge filter table ip nat table ip mangle
So probably there is something that is applying its policy but I ignore what is.
Can someone point me in the right direction?
Thank you in advance.
Il 17/04/20 11:01, Alessandro Baggi ha scritto:
Hi list,
I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled firewalld. I noticed that a default policy is created with tables and chains probably for firewalld.
So I created a .nft script where I stored my rules with a flush for previous ruleset, then saved on /etc/sysconfig/nftables.conf and the enabled nftables service.
Running the script with nft -f script.nft all work as expected but when rebooting, running nft list ruleset I find my rules and the default policy (chains and tables) that I would not have in my configuration.
My nftables.conf contains only my ruleset.
For example, running nft list tables I found several default tables like:
table ip filter table ip6 filter table bridge filter table ip nat table ip mangle
So probably there is something that is applying its policy but I ignore what is.
Can someone point me in the right direction?
Thank you in advance.
Hi have not received any replies but I tried to investigate. After checking configuration files in my system I supposed that this could caused by a daemon, so I found that libvirtd push some rules.
running virsh nwfilter-list I get:
UUID Nome ------------------------------------------------------------------ 34fe8cba-af99-4438-8efc-b135143425e2 allow-arp dc110112-3824-4cf3-946f-ba6e15cd29c3 allow-dhcp fecc383a-bab5-465d-a5be-98834fb626ce allow-dhcp-server 761e7132-8738-47c2-8101-275d6fd6a347 allow-incoming-ipv4 d37b017f-8f21-4ad0-9fa6-052a5cb1ed2e allow-ipv4 a8c740d5-328c-452e-bae7-9828c54f95b7 clean-traffic 296bdfad-11d9-4aa0-9817-4656ef2be6e5 clean-traffic-gateway 69215a61-bff5-482a-b913-589bb1ce18f2 no-arp-ip-spoofing 70c61f0a-c005-407f-843d-d13c2495f05d no-arp-mac-spoofing 386cd2f4-7272-43e2-ba1f-80cb3518649c no-arp-spoofing 9117fa21-e3d6-4c32-9cdf-af97ebd6599e no-ip-multicast 7a964470-4f74-4eef-9fec-a0e9a79e168d no-ip-spoofing 8c9e45a3-5d44-4641-b23d-eded5c1f1632 no-mac-broadcast 82dcd4f0-f55a-43ad-b520-d4c8d4bf37cd no-mac-spoofing bdd0ba54-7ce0-4a2c-9c25-c24072d364ba no-other-l2-traffic fc50783e-d32b-42ba-8380-7576c4388244 no-other-rarp-traffic edfc1bb3-b325-4f8d-8c5b-423e55da66eb qemu-announce-self 8556bd82-dc97-47b0-b573-5986ebbad3b2 qemu-announce-self-rarp
If I will remove these libvirt filters I will get errors?
Thank you in advance.
I had the same problem.
If you are not using virtual machines then
# systemctl disable libvirtd
works and is easily reversible.
Alan
On 18/04/2020 23:03, Alessandro Baggi wrote:
Il 17/04/20 11:01, Alessandro Baggi ha scritto:
Hi list,
I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled firewalld. I noticed that a default policy is created with tables and chains probably for firewalld.
So I created a .nft script where I stored my rules with a flush for previous ruleset, then saved on /etc/sysconfig/nftables.conf and the enabled nftables service.
Running the script with nft -f script.nft all work as expected but when rebooting, running nft list ruleset I find my rules and the default policy (chains and tables) that I would not have in my configuration.
My nftables.conf contains only my ruleset.
For example, running nft list tables I found several default tables like:
table ip filter table ip6 filter table bridge filter table ip nat table ip mangle
So probably there is something that is applying its policy but I ignore what is.
Can someone point me in the right direction?
Thank you in advance.
Hi have not received any replies but I tried to investigate. After checking configuration files in my system I supposed that this could caused by a daemon, so I found that libvirtd push some rules.
running virsh nwfilter-list I get:
UUID Nome
34fe8cba-af99-4438-8efc-b135143425e2 allow-arp dc110112-3824-4cf3-946f-ba6e15cd29c3 allow-dhcp fecc383a-bab5-465d-a5be-98834fb626ce allow-dhcp-server 761e7132-8738-47c2-8101-275d6fd6a347 allow-incoming-ipv4 d37b017f-8f21-4ad0-9fa6-052a5cb1ed2e allow-ipv4 a8c740d5-328c-452e-bae7-9828c54f95b7 clean-traffic 296bdfad-11d9-4aa0-9817-4656ef2be6e5 clean-traffic-gateway 69215a61-bff5-482a-b913-589bb1ce18f2 no-arp-ip-spoofing 70c61f0a-c005-407f-843d-d13c2495f05d no-arp-mac-spoofing 386cd2f4-7272-43e2-ba1f-80cb3518649c no-arp-spoofing 9117fa21-e3d6-4c32-9cdf-af97ebd6599e no-ip-multicast 7a964470-4f74-4eef-9fec-a0e9a79e168d no-ip-spoofing 8c9e45a3-5d44-4641-b23d-eded5c1f1632 no-mac-broadcast 82dcd4f0-f55a-43ad-b520-d4c8d4bf37cd no-mac-spoofing bdd0ba54-7ce0-4a2c-9c25-c24072d364ba no-other-l2-traffic fc50783e-d32b-42ba-8380-7576c4388244 no-other-rarp-traffic edfc1bb3-b325-4f8d-8c5b-423e55da66eb qemu-announce-self 8556bd82-dc97-47b0-b573-5986ebbad3b2 qemu-announce-self-rarp
If I will remove these libvirt filters I will get errors?
Thank you in advance.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi,
the problem is that I'm using libvirtd for my vms. I think currently the best solution is remove this policies from .xml files.
Il 18/04/20 22:22, Alan McRae via CentOS ha scritto:
I had the same problem.
If you are not using virtual machines then
# systemctl disable libvirtd
works and is easily reversible.
Alan
On 18/04/2020 23:03, Alessandro Baggi wrote:
Il 17/04/20 11:01, Alessandro Baggi ha scritto:
Hi list,
I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled firewalld. I noticed that a default policy is created with tables and chains probably for firewalld.
So I created a .nft script where I stored my rules with a flush for previous ruleset, then saved on /etc/sysconfig/nftables.conf and the enabled nftables service.
Running the script with nft -f script.nft all work as expected but when rebooting, running nft list ruleset I find my rules and the default policy (chains and tables) that I would not have in my configuration.
My nftables.conf contains only my ruleset.
For example, running nft list tables I found several default tables like:
table ip filter table ip6 filter table bridge filter table ip nat table ip mangle
So probably there is something that is applying its policy but I ignore what is.
Can someone point me in the right direction?
Thank you in advance.
Hi have not received any replies but I tried to investigate. After checking configuration files in my system I supposed that this could caused by a daemon, so I found that libvirtd push some rules.
running virsh nwfilter-list I get:
UUID Nome
34fe8cba-af99-4438-8efc-b135143425e2 allow-arp dc110112-3824-4cf3-946f-ba6e15cd29c3 allow-dhcp fecc383a-bab5-465d-a5be-98834fb626ce allow-dhcp-server 761e7132-8738-47c2-8101-275d6fd6a347 allow-incoming-ipv4 d37b017f-8f21-4ad0-9fa6-052a5cb1ed2e allow-ipv4 a8c740d5-328c-452e-bae7-9828c54f95b7 clean-traffic 296bdfad-11d9-4aa0-9817-4656ef2be6e5 clean-traffic-gateway 69215a61-bff5-482a-b913-589bb1ce18f2 no-arp-ip-spoofing 70c61f0a-c005-407f-843d-d13c2495f05d no-arp-mac-spoofing 386cd2f4-7272-43e2-ba1f-80cb3518649c no-arp-spoofing 9117fa21-e3d6-4c32-9cdf-af97ebd6599e no-ip-multicast 7a964470-4f74-4eef-9fec-a0e9a79e168d no-ip-spoofing 8c9e45a3-5d44-4641-b23d-eded5c1f1632 no-mac-broadcast 82dcd4f0-f55a-43ad-b520-d4c8d4bf37cd no-mac-spoofing bdd0ba54-7ce0-4a2c-9c25-c24072d364ba no-other-l2-traffic fc50783e-d32b-42ba-8380-7576c4388244 no-other-rarp-traffic edfc1bb3-b325-4f8d-8c5b-423e55da66eb qemu-announce-self 8556bd82-dc97-47b0-b573-5986ebbad3b2 qemu-announce-self-rarp
If I will remove these libvirt filters I will get errors?
Thank you in advance.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Alan McRae -
Alessandro Baggi