[libvirt] Network Filter not working on RHEL-6
Shi Jin
jinzishuai at yahoo.com
Wed Mar 2 21:12:25 UTC 2011
Thank you very much. It worked like a charm although I couldn't find that message in the libvirtd.log.
Should I enable all three in /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
Thanks.
Shi
--
Shi Jin, PhD
--- On Wed, 3/2/11, Stefan Berger <stefanb at linux.vnet.ibm.com> wrote:
> From: Stefan Berger <stefanb at linux.vnet.ibm.com>
> Subject: Re: [libvirt] Network Filter not working on RHEL-6
> To: "Shi Jin" <jinzishuai at yahoo.com>
> Cc: "libvirt Redhat" <libvir-list at redhat.com>, jinzishuai at gmail.com
> Date: Wednesday, March 2, 2011, 11:36 AM
> On 03/01/2011 06:03 PM, Shi Jin
> wrote:
> > Hi there,
> >
> > I have been testing the Network Filter [1] feature of
> libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it
> works well except the $IP variable is not supported thus
> cannot use the clean-filter.
> >
> > The major problem I found on RHEL-6 is that the
> iptables rules introduced by nwfilter does not prevent any
> traffic. The problem is that all traffic going to the VM
> virtual NIC interface goes through the INPUT chain of the
> iptables instead of the supposed-to-be FORWARD chain (this
> is what the nwfilter rules are working on) so that none of
> the rules have any effect.
> >
> > I am not sure whether this is a libvirt problem or
> iptables problem. But it seems to me that changing from
> RHEL-5.6 to RHEL-6, the network traffic works differently.
> >
> > Has anyone had similar experience? Any suggestion or
> comments are welcome.
> The libvirt log file probably would tell you something like
> this here:
>
> To enable iptables filtering for the VM do 'echo 1 >
> /proc/sys/net/bridge/bridge-nf-call-iptables'.
>
> Try that command and it should work. It became necessary
> due to changed
> default Linux kernel behaviour.
>
> Stefan
>
More information about the libvir-list
mailing list