[libvirt] Network Filter not working on RHEL-6

Stefan Berger stefanb at linux.vnet.ibm.com
Thu Mar 3 12:45:02 UTC 2011 

On 03/02/2011 04:12 PM, Shi Jin wrote:
> Thank you very much. It worked like a charm although I couldn't find that message in the libvirtd.log.
>
> Should I enable all three in /etc/sysctl.conf
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> net.bridge.bridge-nf-call-arptables = 1
>
The first two, yes, the last one is probably not necessary.

    Stefan

> Thanks.
> Shi
> --
> Shi Jin, PhD
>
>
> --- On Wed, 3/2/11, Stefan Berger<stefanb at linux.vnet.ibm.com>  wrote:
>
>> From: Stefan Berger<stefanb at linux.vnet.ibm.com>
>> Subject: Re: [libvirt] Network Filter not working on RHEL-6
>> To: "Shi Jin"<jinzishuai at yahoo.com>
>> Cc: "libvirt Redhat"<libvir-list at redhat.com>, jinzishuai at gmail.com
>> Date: Wednesday, March 2, 2011, 11:36 AM
>> On 03/01/2011 06:03 PM, Shi Jin
>> wrote:
>>> Hi there,
>>>
>>> I have been testing the Network Filter [1] feature of
>> libvirt with KVM on RHEL-5.6 and RHEL-6. On RHEL-5.6, it
>> works well except the $IP variable is not supported thus
>> cannot use the clean-filter.
>>> The major problem I found on RHEL-6 is that the
>> iptables rules introduced by nwfilter does not prevent any
>> traffic. The problem is that all traffic going to the VM
>> virtual NIC interface goes through the INPUT chain of the
>> iptables instead of the supposed-to-be FORWARD chain (this
>> is what the nwfilter rules are working on) so that none of
>> the rules have any effect.
>>> I am not sure whether this is a libvirt problem or
>> iptables problem. But it seems to me that changing from
>> RHEL-5.6 to RHEL-6, the network traffic works differently.
>>> Has anyone had similar experience? Any suggestion or
>> comments are welcome.
>> The libvirt log file probably would tell you something like
>> this here:
>>
>> To enable iptables filtering for the VM do 'echo 1>
>> /proc/sys/net/bridge/bridge-nf-call-iptables'.
>>
>> Try that command and it should work. It became necessary
>> due to changed
>> default Linux kernel behaviour.
>>
>>      Stefan
>>
>
>

More information about the libvir-list mailing list