[libvirt] Network Filter not working on RHEL-6
edison
disheng.su at gmail.com
Wed Mar 2 21:55:43 UTC 2011
There is a bug in
netcf-libs(https://bugzilla.redhat.com/show_bug.cgi?id=651032), which
automatically sets "-A FORWARD -m physdev --physdev-is-bridged -j
ACCEPT " if /proc/sys/net/bridge/bridge-nf-call-iptables == 1.
I hit the bug last week, which drove me crazy...
On Wed, Mar 2, 2011 at 1:36 PM, Stefan Berger
<stefanb at linux.vnet.ibm.com> wrote:
> On 03/01/2011 06:03 PM, Shi Jin wrote:
>>
>> Hi there,
>>
>> I have been testing the Network Filter [1] feature of libvirt with KVM on
>> RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is
>> not supported thus cannot use the clean-filter.
>>
>> The major problem I found on RHEL-6 is that the iptables rules introduced
>> by nwfilter does not prevent any traffic. The problem is that all traffic
>> going to the VM virtual NIC interface goes through the INPUT chain of the
>> iptables instead of the supposed-to-be FORWARD chain (this is what the
>> nwfilter rules are working on) so that none of the rules have any effect.
>>
>> I am not sure whether this is a libvirt problem or iptables problem. But
>> it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic
>> works differently.
>>
>> Has anyone had similar experience? Any suggestion or comments are welcome.
>
> The libvirt log file probably would tell you something like this here:
>
> To enable iptables filtering for the VM do 'echo 1 >
> /proc/sys/net/bridge/bridge-nf-call-iptables'.
>
> Try that command and it should work. It became necessary due to changed
> default Linux kernel behaviour.
>
> Stefan
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
More information about the libvir-list
mailing list