Re: [libvirt] [PATCH] iptablesSetupPrivateChains: Be forgiving if a table does not exist
On Mon, 2019-03-11 at 12:55 +0100, Michal Privoznik wrote:
On 3/11/19 11:43 AM, Daniel P. Berrangé wrote:
> What I mean is that this transaction is checking the filter, nat and
> mangle tables of both ipv4 and ipv6. You have a missing mangle table
> for ipv6, but this "ignore errors" policy means we'll even ignore
> the missing "filter" table for ipv4 for example which is something we
> have previously considered mandatory.
>
> We will still get a failure later when the network is started though
> I guess.
I know, and to me that's acceptable. It will not be any worse with this
patch. Only better. Because right now we fail even for IPv6 even though
you might not use it.
As mentioned yesterday on IRC, I hit the issue this patch tries to
address on my machine.
Because of $reasons, I have disabled IPv6 by adding "ipv6.disable=1"
to the kernel command line (as suggested in [1]), and when running
v5.1.0 or current libvirt master the default network can't be
started:
$ virsh net-start default
error: Failed to start network default
error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter
--insert LIBVIRT_INP --in-interface virbr0 --protocol tcp
--destination-port 67 --jump ACCEPT' failed: iptables: No
chain/target/match by that name.
After applying this patch, the default network comes up and works
just fine.
[1] https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6
--
Andrea Bolognani / Red Hat / Virtualization