Hi,
I am trying to prevent my qemu guest machines from sending IPv6 router
advertisements over their network device. To that end, I have written this
filter definition:
<filter name='no-ipv6-router-advertisement' chain='root'
priority='-690'>
<rule action='drop' direction='out' priority='600'>
<icmpv6 type='134'/>
</rule>
<rule action='drop' direction='out' priority='600'>
<icmpv6 type='153'/>
</rule>
</filter>
As soon as I try to use this filter, though, I get the following error (in
virsh):
error: Error while building firewall: Some rules could not be created for
interface vnet0: Failure to execute command '$IPT -A libvirt-out -m physdev --
physdev-out vnet0 -g FP-vnet0' : 'ip6tables: No chain/target/match by that
name.'.
I am (trying to) use this filter by including it in here:
<filter name='clean-traffic-with-v6' chain='root'>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
<filterref filter='no-dhcp-server'/>
<rule action='accept' direction='out' priority='-650'>
<mac protocolid='ipv4'/>
</rule>
<filterref filter='allow-incoming-ipv4'/>
<filterref filter='no-ipv6-spoofing'/>
<filterref filter='no-ipv6-router-advertisement'/>
<filterref filter='no-dhcpv6-server'/>
<rule action='accept' direction='out' priority='-600'>
<mac protocolid='ipv6'/>
</rule>
<filterref filter='allow-incoming-ipv6'/>
<filterref filter='no-arp-spoofing'/>
<rule action='accept' direction='inout' priority='-500'>
<mac protocolid='arp'/>
</rule>
<filterref filter='no-other-l2-traffic'/>
<filterref filter='qemu-announce-self'/>
</filter>
Without the line
<filterref filter='no-ipv6-router-advertisement'/>
this filter works fine.
When running a domain with this filter without the no-ipv6-router-
advertisement filterref, my ip6tables look like this:
# ip6tables-save
# Generated by ip6tables-save v1.4.13 on Wed Nov 7 17:46:32 2012
*mangle
:PREROUTING ACCEPT [146:12680]
:INPUT ACCEPT [103:9704]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [172:14184]
:POSTROUTING ACCEPT [172:14184]
COMMIT
# Completed on Wed Nov 7 17:46:32 2012
# Generated by ip6tables-save v1.4.13 on Wed Nov 7 17:46:32 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:libvirt-host-in - [0:0]
:libvirt-in - [0:0]
:libvirt-in-post - [0:0]
:libvirt-out - [0:0]
-A INPUT -j libvirt-host-in
-A FORWARD -j libvirt-in
-A FORWARD -j libvirt-out
-A FORWARD -j libvirt-in-post
COMMIT
# Completed on Wed Nov 7 17:46:32 2012
This is with libvirt 0.10.2.
Does anybody have an idea what is happening here or how I could debug this
further?
Regards,
Guido
Show replies by date
I figured it out: It was because I did not have physdev match support in my
kernel.
Guido