How to enable incoming traffic to VM using nftables on F41?

I had a qemu hook, that via iptables modified the rule in LIBVIRT_FWI chain adding “NEW” to “RELATED,ESTABLISHED” attributes. And that, together with port forwarding on the host, enabled me to forward host ports to VM.

Now Fedora 41 moved libvirt to use nftables. My questions are:

  • Do I still have to use hook to modify my rules?
  • Where and what rule should I create to enable external connection to my VM vi forwarded port?

OK. Found it.

I need to find the rule handle. In my case it is:

# nft -a list ruleset 
...
table ip libvirt_network { # handle 4
chain guest_input { # handle 4
		oif "virbr1" counter packets 0 bytes 0 reject # handle 23
		oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 3278 bytes 1245720 accept # handle 14
		oif "virbr0" counter packets 8682 bytes 438956 reject # handle 11
	}

The rule I was looking for is # handle 14.

Rpelace the rule with the command:

nft replace rule libvirt_network guest_input handle 14 oif "virbr0" ip daddr 192.168.122.0/24 ct state new,established,related counter accept

The new attribut is cucial - enables incoming coneections. My VM is 192.168.122.5 and i Have the following firewalld rule on my host to forward 2105 port to 192.168.122.5:22:

firewall-cmd --zone=public --add-forward-port=port=2105:proto=tcp:toport=22:toaddr=192.168.122.5 --permanent

Works like charm: ssh my__kvm_host_ip:2105 gets me to my VM’s sshd :smiley:

Now I need to turn it into a /etc/libvirt/hooks/qemu hook :wink:

1 Like

The recommended way is to change the method of forwarding:

tee /tmp/default.xml << EOF > /dev/null
<network>
<name>default</name>
<forward mode="open"/>
<ip address="192.168.100.1" prefix="24">
<dhcp>
<range start="192.168.100.2" end="192.168.100.254"/>
</dhcp>
</ip>
</network>
EOF
sudo virsh net-destroy default
sudo virsh net-undefine default
sudo virsh net-define /tmp/default.xml
sudo virsh net-autostart default
sudo virsh net-start default
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload

Then you don’t need do deal with nftables directly.