[libvirt] Network Filter not working on RHEL-6
Hi there, I have been testing the Network Filter [1] feature of libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot use the clean-filter. The major problem I found on RHEL-6 is that the iptables rules introduced by nwfilter does not prevent any traffic. The problem is that all traffic going to the VM virtual NIC interface goes through the INPUT chain of the iptables instead of the supposed-to-be FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules have any effect. I am not sure whether this is a libvirt problem or iptables problem. But it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic works differently. Has anyone had similar experience? Any suggestion or comments are welcome. Thank you very much. Shi [1] http://libvirt.org/formatnwfilter.html -- Shi Jin, PhD
On 03/01/2011 06:03 PM, Shi Jin wrote:
Hi there,
I have been testing the Network Filter [1] feature of libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot use the clean-filter.
The major problem I found on RHEL-6 is that the iptables rules introduced by nwfilter does not prevent any traffic. The problem is that all traffic going to the VM virtual NIC interface goes through the INPUT chain of the iptables instead of the supposed-to-be FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules have any effect.
I am not sure whether this is a libvirt problem or iptables problem. But it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic works differently.
Has anyone had similar experience? Any suggestion or comments are welcome. The libvirt log file probably would tell you something like this here:
To enable iptables filtering for the VM do 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables'. Try that command and it should work. It became necessary due to changed default Linux kernel behaviour. Stefan
Thank you very much. It worked like a charm although I couldn't find that message in the libvirtd.log. Should I enable all three in /etc/sysctl.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1 Thanks. Shi -- Shi Jin, PhD --- On Wed, 3/2/11, Stefan Berger <stefanb@linux.vnet.ibm.com> wrote:
Hi there,
I have been testing the Network Filter [1] feature of
From: Stefan Berger <stefanb@linux.vnet.ibm.com> Subject: Re: [libvirt] Network Filter not working on RHEL-6 To: "Shi Jin" <jinzishuai@yahoo.com> Cc: "libvirt Redhat" <libvir-list@redhat.com>, jinzishuai@gmail.com Date: Wednesday, March 2, 2011, 11:36 AM On 03/01/2011 06:03 PM, Shi Jin wrote: libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot use the clean-filter.
The major problem I found on RHEL-6 is that the
iptables rules introduced by nwfilter does not prevent any traffic. The problem is that all traffic going to the VM virtual NIC interface goes through the INPUT chain of the iptables instead of the supposed-to-be FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules have any effect.
I am not sure whether this is a libvirt problem or
iptables problem. But it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic works differently.
Has anyone had similar experience? Any suggestion or
comments are welcome. The libvirt log file probably would tell you something like this here:
To enable iptables filtering for the VM do 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables'.
Try that command and it should work. It became necessary due to changed default Linux kernel behaviour.
Stefan
On 03/02/2011 04:12 PM, Shi Jin wrote:
Thank you very much. It worked like a charm although I couldn't find that message in the libvirtd.log.
Should I enable all three in /etc/sysctl.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1
The first two, yes, the last one is probably not necessary. Stefan
Thanks. Shi -- Shi Jin, PhD
--- On Wed, 3/2/11, Stefan Berger<stefanb@linux.vnet.ibm.com> wrote:
Hi there,
I have been testing the Network Filter [1] feature of
The major problem I found on RHEL-6 is that the iptables rules introduced by nwfilter does not prevent any
I am not sure whether this is a libvirt problem or iptables problem. But it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic works differently. Has anyone had similar experience? Any suggestion or comments are welcome. The libvirt log file probably would tell you something like
From: Stefan Berger<stefanb@linux.vnet.ibm.com> Subject: Re: [libvirt] Network Filter not working on RHEL-6 To: "Shi Jin"<jinzishuai@yahoo.com> Cc: "libvirt Redhat"<libvir-list@redhat.com>, jinzishuai@gmail.com Date: Wednesday, March 2, 2011, 11:36 AM On 03/01/2011 06:03 PM, Shi Jin wrote: libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot use the clean-filter. traffic. The problem is that all traffic going to the VM virtual NIC interface goes through the INPUT chain of the iptables instead of the supposed-to-be FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules have any effect. this here:
To enable iptables filtering for the VM do 'echo 1> /proc/sys/net/bridge/bridge-nf-call-iptables'.
Try that command and it should work. It became necessary due to changed default Linux kernel behaviour.
Stefan
There is a bug in netcf-libs(https://bugzilla.redhat.com/show_bug.cgi?id=651032), which automatically sets "-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT " if /proc/sys/net/bridge/bridge-nf-call-iptables == 1. I hit the bug last week, which drove me crazy... On Wed, Mar 2, 2011 at 1:36 PM, Stefan Berger <stefanb@linux.vnet.ibm.com> wrote:
On 03/01/2011 06:03 PM, Shi Jin wrote:
Hi there,
I have been testing the Network Filter [1] feature of libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is not supported thus cannot use the clean-filter.
The major problem I found on RHEL-6 is that the iptables rules introduced by nwfilter does not prevent any traffic. The problem is that all traffic going to the VM virtual NIC interface goes through the INPUT chain of the iptables instead of the supposed-to-be FORWARD chain (this is what the nwfilter rules are working on) so that none of the rules have any effect.
I am not sure whether this is a libvirt problem or iptables problem. But it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic works differently.
Has anyone had similar experience? Any suggestion or comments are welcome.
The libvirt log file probably would tell you something like this here:
To enable iptables filtering for the VM do 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables'.
Try that command and it should work. It became necessary due to changed default Linux kernel behaviour.
Stefan
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 03/02/2011 04:55 PM, edison wrote:
There is a bug in netcf-libs(https://bugzilla.redhat.com/show_bug.cgi?id=651032), which automatically sets "-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT " if /proc/sys/net/bridge/bridge-nf-call-iptables == 1. I hit the bug last week, which drove me crazy...
As of netcf-0.1.7, netcf no longer reads or modifies any iptables information. This scenario is one of several reasons that functionality was removed.
participants (4)
-
edison -
Laine Stump -
Shi Jin -
Stefan Berger