On 03/02/2011 04:12 PM, Shi Jin wrote:
Thank you very much. It worked like a charm although I couldn't find that message in the libvirtd.log.
Should I enable all three in /etc/sysctl.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1
The first two, yes, the last one is probably not necessary. Stefan
Thanks. Shi -- Shi Jin, PhD
--- On Wed, 3/2/11, Stefan Berger<stefanb@linux.vnet.ibm.com> wrote:
Hi there,
I have been testing the Network Filter [1] feature of
The major problem I found on RHEL-6 is that the iptables rules introduced by nwfilter does not prevent any
I am not sure whether this is a libvirt problem or iptables problem. But it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic works differently. Has anyone had similar experience? Any suggestion or comments are welcome. The libvirt log file probably would tell you something like
From: Stefan Berger<stefanb@linux.vnet.ibm.com> Subject: Re: [libvirt] Network Filter not working on RHEL-6 To: "Shi Jin"<jinzishuai@yahoo.com> Cc: "libvirt Redhat"<libvir-list@redhat.com>, jinzishuai@gmail.com Date: Wednesday, March 2, 2011, 11:36 AM On 03/01/2011 06:03 PM, Shi Jin wrote: libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot use the clean-filter. traffic. The problem is that all traffic going to the VM virtual NIC interface goes through the INPUT chain of the iptables instead of the supposed-to-be FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules have any effect. this here:
To enable iptables filtering for the VM do 'echo 1> /proc/sys/net/bridge/bridge-nf-call-iptables'.
Try that command and it should work. It became necessary due to changed default Linux kernel behaviour.
Stefan