5:03 p.m.
Hi there,
I have been testing the Network Filter [1] feature of libvirt with KVM on RHEL-5.6 and
RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot
use the clean-filter.
The major problem I found on RHEL-6 is that the iptables rules introduced by nwfilter does
not prevent any traffic. The problem is that all traffic going to the VM virtual NIC
interface goes through the INPUT chain of the iptables instead of the supposed-to-be
FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules
have any effect.
I am not sure whether this is a libvirt problem or iptables problem. But it seems to me
that changing from RHEL-5.6 to RHEL-6, the network traffic works differently.
Has anyone had similar experience? Any suggestion or comments are welcome.
Thank you very much.
Shi
[1] http://libvirt.org/formatnwfilter.html
--
Shi Jin, PhD
12:36 p.m.
On 03/01/2011 06:03 PM, Shi Jin wrote:
Hi there,
I have been testing the Network Filter [1] feature of libvirt with KVM on RHEL-5.6 and
RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot
use the clean-filter.
The major problem I found on RHEL-6 is that the iptables rules introduced by nwfilter
does not prevent any traffic. The problem is that all traffic going to the VM virtual NIC
interface goes through the INPUT chain of the iptables instead of the supposed-to-be
FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules
have any effect.
I am not sure whether this is a libvirt problem or iptables problem. But it seems to me
that changing from RHEL-5.6 to RHEL-6, the network traffic works differently.
Has anyone had similar experience? Any suggestion or comments are welcome.
The
libvirt log file probably would tell you something like this here:
To enable iptables filtering for the VM do 'echo 1 >
/proc/sys/net/bridge/bridge-nf-call-iptables'.
Try that command and it should work. It became necessary due to changed
default Linux kernel behaviour.
Stefan
3:12 p.m.
Thank you very much. It worked like a charm although I couldn't find that message in
the libvirtd.log.
Should I enable all three in /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
Thanks.
Shi
--
Shi Jin, PhD
--- On Wed, 3/2/11, Stefan Berger <stefanb(a)linux.vnet.ibm.com> wrote:
From: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
Subject: Re: [libvirt] Network Filter not working on RHEL-6
To: "Shi Jin" <jinzishuai(a)yahoo.com>
Cc: "libvirt Redhat" <libvir-list(a)redhat.com>, jinzishuai(a)gmail.com
Date: Wednesday, March 2, 2011, 11:36 AM
On 03/01/2011 06:03 PM, Shi Jin
wrote:
> Hi there,
>
> I have been testing the Network Filter [1] feature of
libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it
works well except the $IP variable is not supported thus
cannot use the clean-filter.
>
> The major problem I found on RHEL-6 is that the
iptables rules introduced by nwfilter does not prevent any
traffic. The problem is that all traffic going to the VM
virtual NIC interface goes through the INPUT chain of the
iptables instead of the supposed-to-be FORWARD chain (this
is what the nwfilter rules are working on) so that none of
the rules have any effect.
>
> I am not sure whether this is a libvirt problem or
iptables problem. But it seems to me that changing from
RHEL-5.6 to RHEL-6, the network traffic works differently.
>
> Has anyone had similar experience? Any suggestion or
comments are welcome.
The libvirt log file probably would tell you something like
this here:
To enable iptables filtering for the VM do 'echo 1 >
/proc/sys/net/bridge/bridge-nf-call-iptables'.
Try that command and it should work. It became necessary
due to changed
default Linux kernel behaviour.
Stefan
6:45 a.m.
On 03/02/2011 04:12 PM, Shi Jin wrote:
Thank you very much. It worked like a charm although I couldn't
find that message in the libvirtd.log.
Should I enable all three in /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
The first two, yes, the last one is probably not necessary.
Stefan
Thanks.
Shi
--
Shi Jin, PhD
--- On Wed, 3/2/11, Stefan Berger<stefanb(a)linux.vnet.ibm.com> wrote:
> From: Stefan Berger<stefanb(a)linux.vnet.ibm.com>
> Subject: Re: [libvirt] Network Filter not working on RHEL-6
> To: "Shi Jin"<jinzishuai(a)yahoo.com>
> Cc: "libvirt Redhat"<libvir-list(a)redhat.com>, jinzishuai(a)gmail.com
> Date: Wednesday, March 2, 2011, 11:36 AM
> On 03/01/2011 06:03 PM, Shi Jin
> wrote:
>> Hi there,
>>
>> I have been testing the Network Filter [1] feature of
> libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it
> works well except the $IP variable is not supported thus
> cannot use the clean-filter.
>> The major problem I found on RHEL-6 is that the
> iptables rules introduced by nwfilter does not prevent any
> traffic. The problem is that all traffic going to the VM
> virtual NIC interface goes through the INPUT chain of the
> iptables instead of the supposed-to-be FORWARD chain (this
> is what the nwfilter rules are working on) so that none of
> the rules have any effect.
>> I am not sure whether this is a libvirt problem or
> iptables problem. But it seems to me that changing from
> RHEL-5.6 to RHEL-6, the network traffic works differently.
>> Has anyone had similar experience? Any suggestion or
> comments are welcome.
> The libvirt log file probably would tell you something like
> this here:
>
> To enable iptables filtering for the VM do 'echo 1>
> /proc/sys/net/bridge/bridge-nf-call-iptables'.
>
> Try that command and it should work. It became necessary
> due to changed
> default Linux kernel behaviour.
>
> Stefan
>
3:55 p.m.
There is a bug in
netcf-libs(https://bugzilla.redhat.com/show_bug.cgi?id=651032), which
automatically sets "-A FORWARD -m physdev --physdev-is-bridged -j
ACCEPT " if /proc/sys/net/bridge/bridge-nf-call-iptables == 1.
I hit the bug last week, which drove me crazy...
On Wed, Mar 2, 2011 at 1:36 PM, Stefan Berger
<stefanb(a)linux.vnet.ibm.com> wrote:
On 03/01/2011 06:03 PM, Shi Jin wrote:
>
> Hi there,
>
> I have been testing the Network Filter [1] feature of libvirt with KVM on
> RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is
> not supported thus cannot use the clean-filter.
>
> The major problem I found on RHEL-6 is that the iptables rules introduced
> by nwfilter does not prevent any traffic. The problem is that all traffic
> going to the VM virtual NIC interface goes through the INPUT chain of the
> iptables instead of the supposed-to-be FORWARD chain (this is what the
> nwfilter rules are working on) so that none of the rules have any effect.
>
> I am not sure whether this is a libvirt problem or iptables problem. But
> it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic
> works differently.
>
> Has anyone had similar experience? Any suggestion or comments are welcome.
The libvirt log file probably would tell you something like this here:
To enable iptables filtering for the VM do 'echo 1 >
/proc/sys/net/bridge/bridge-nf-call-iptables'.
Try that command and it should work. It became necessary due to changed
default Linux kernel behaviour.
Stefan
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
9:11 a.m.
On 03/02/2011 04:55 PM, edison wrote:
There is a bug in
netcf-libs(https://bugzilla.redhat.com/show_bug.cgi?id=651032), which
automatically sets "-A FORWARD -m physdev --physdev-is-bridged -j
ACCEPT " if /proc/sys/net/bridge/bridge-nf-call-iptables == 1.
I hit the bug last week, which drove me crazy...
As of netcf-0.1.7, netcf no longer reads or modifies any iptables
information. This scenario is one of several reasons that functionality
was removed.
5012
days inactive
5015
days old
5 comments
4 participants
participants (4)
-
edison -
Laine Stump -
Shi Jin -
Stefan Berger