Re: [libvirt] Network Filter not working on RHEL-6

From: Stefan Berger <stefanb(a)linux.vnet.ibm.com&gt; Subject: Re: [libvirt] Network Filter not working on RHEL-6 To: "Shi Jin" <jinzishuai(a)yahoo.com&gt; Cc: "libvirt Redhat" <libvir-list(a)redhat.com&gt;, jinzishuai(a)gmail.com Date: Wednesday, March 2, 2011, 11:36 AM On 03/01/2011 06:03 PM, Shi Jin wrote: > Hi there, > > I have been testing the Network Filter [1] feature of libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot use the clean-filter. > > The major problem I found on RHEL-6 is that the iptables rules introduced by nwfilter does not prevent any traffic. The problem is that all traffic going to the VM virtual NIC interface goes through the INPUT chain of the iptables instead of the supposed-to-be FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules have any effect. > > I am not sure whether this is a libvirt problem or iptables problem. But it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic works differently. > > Has anyone had similar experience? Any suggestion or comments are welcome. The libvirt log file probably would tell you something like this here: To enable iptables filtering for the VM do 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables'. Try that command and it should work. It became necessary due to changed default Linux kernel behaviour.     Stefan