Re: How can I control iptables/nftables rules addition on libvirtd host on Debian 12 ?

On Fri, Feb 07, 2025 at 08:28:47AM -0800, Andrea Bolognani wrote: > On Fri, Feb 07, 2025 at 03:48:00PM +0000, Daniel P. Berrangé wrote: > > On Fri, Feb 07, 2025 at 07:44:02AM -0800, Andrea Bolognani wrote: > > > I'm not sure what Docker does either, but I can tell you for > > > sure > > > that, at least on Debian, switching libvirt to the nftables > > > backend > > > when Docker is installed makes guest connectivity break > > > completely. > > > > > > Even if that turned out to be Docker's fault for not playing > > > nice, > > > the fact would remain that we can't default to a configuration > > > that > > > doesn't work when paired with such popular software. > > > > Would be interesting to know what docker was doing to break it, > > as > > it might be something silly that's overlooked & easily fixed. > > I wouldn't even know where to start to figure that out, but for > anyone interested reproducing the problem should be as easy as > installing Debian testing, installing docker, and changing the > libvirt network backend to nftables. I normally debug by inserting "-j LOG" rules at random places until I find the rule that's blocking the traffic.