Re: [libvirt] Network Filter not working on RHEL-6

On 03/01/2011 06:03 PM, Shi Jin wrote: > > Hi there, > > I have been testing the Network Filter [1] feature of libvirt with KVM on > RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is > not supported thus cannot use the clean-filter. > > The major problem I found on RHEL-6 is that the iptables rules introduced > by nwfilter does not prevent any traffic. The problem is that all traffic > going to the VM virtual NIC interface goes through the INPUT chain of the > iptables instead of the supposed-to-be FORWARD chain (this is what the > nwfilter rules are working on) so that none of the rules have any effect. > > I am not sure whether this is a libvirt problem or iptables problem. But > it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic > works differently. > > Has anyone had similar experience? Any suggestion or comments are welcome. The libvirt log file probably would tell you something like this here: To enable iptables filtering for the VM do 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables'. Try that command and it should work. It became necessary due to changed default Linux kernel behaviour.   Stefan -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list