[libvirt] iptables complains about a bad rule
With libvirt from git on Ubuntu 10.04 I get this 3 errors (actually 2 warnings an 1 error) when starting libvirtd: 23:15:45.221: error : virRunWithHook:855 : internal error '/sbin/iptables --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.4: unknown option `--checksum-fill' Try `iptables -h' or 'iptables --help' for more information. 23:15:45.238: error : virRunWithHook:855 : internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 and signal 0: iptables: Bad rule (does a matching rule exist in that chain?). 23:15:45.275: error : virRunWithHook:855 : internal error '/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.4: unknown option `--checksum-fill' Try `iptables -h' or 'iptables --help' for more information. The first and the last one just indicate that my iptables here is too old to know about --checksum-fill, but what about the second one? Matthias
On 10/27/2010 02:02 PM, Matthias Bolte wrote:
With libvirt from git on Ubuntu 10.04 I get this 3 errors (actually 2 warnings an 1 error) when starting libvirtd:
23:15:45.221: error : virRunWithHook:855 : internal error '/sbin/iptables --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.4: unknown option `--checksum-fill' Try `iptables -h' or 'iptables --help' for more information.
23:15:45.238: error : virRunWithHook:855 : internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 and signal 0: iptables: Bad rule (does a matching rule exist in that chain?).
23:15:45.275: error : virRunWithHook:855 : internal error '/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.4: unknown option `--checksum-fill' Try `iptables -h' or 'iptables --help' for more information.
The first and the last one just indicate that my iptables here is too old to know about --checksum-fill, but what about the second one?
Ah - that one is harmless too, but is a bonafide bug - when starting the network we only add the rule to allow port 69 if the network def has a non-empty tftproot, but when destroying the network we try to remove it no matter what. I'm following this message with a patch to remedy the problem.
During virtual network startup, the iptables rule that allows tftp traffic is only added if network->def->tftproot is non-empty, but when the virtual network is destroyed, we had been unconditionally trying to delete the rule. This was harmless, except that it created a bogus error message. This patch conditionalizes the delete command in the same manner that the insert command is already conditionalized. --- src/network/bridge_driver.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 0777d85..631fbf1 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -990,7 +990,8 @@ networkRemoveIptablesRules(struct network_driver *driver, iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge); iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge); iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge); - iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69); + if (network->def->tftproot) + iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69); iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53); iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53); iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67); -- 1.7.2.3
2010/10/28 Laine Stump <laine@laine.org>:
During virtual network startup, the iptables rule that allows tftp traffic is only added if network->def->tftproot is non-empty, but when the virtual network is destroyed, we had been unconditionally trying to delete the rule. This was harmless, except that it created a bogus error message.
This patch conditionalizes the delete command in the same manner that the insert command is already conditionalized. --- src/network/bridge_driver.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 0777d85..631fbf1 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -990,7 +990,8 @@ networkRemoveIptablesRules(struct network_driver *driver, iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge); iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge); iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge); - iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69); + if (network->def->tftproot) + iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69); iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53); iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53); iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67); -- 1.7.2.3
ACK, fixes the bogus error message. Matthias
On 10/28/2010 04:14 AM, Matthias Bolte wrote:
2010/10/28 Laine Stump<laine@laine.org>:
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 0777d85..631fbf1 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -990,7 +990,8 @@ networkRemoveIptablesRules(struct network_driver *driver, iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge); iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge); iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge); - iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69); + if (network->def->tftproot) + iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 69);
ACK, fixes the bogus error message.
Thanks, pushed.
participants (2)
-
Laine Stump -
Matthias Bolte