[libvirt] [PATCH] iptablesSetupPrivateChains: Be forgiving if a table does not exist
Andrea Bolognani
abologna at redhat.com
Mon Mar 18 14:44:39 UTC 2019
On Mon, 2019-03-11 at 12:55 +0100, Michal Privoznik wrote:
> On 3/11/19 11:43 AM, Daniel P. Berrangé wrote:
> > What I mean is that this transaction is checking the filter, nat and
> > mangle tables of both ipv4 and ipv6. You have a missing mangle table
> > for ipv6, but this "ignore errors" policy means we'll even ignore
> > the missing "filter" table for ipv4 for example which is something we
> > have previously considered mandatory.
> >
> > We will still get a failure later when the network is started though
> > I guess.
>
> I know, and to me that's acceptable. It will not be any worse with this
> patch. Only better. Because right now we fail even for IPv6 even though
> you might not use it.
As mentioned yesterday on IRC, I hit the issue this patch tries to
address on my machine.
Because of $reasons, I have disabled IPv6 by adding "ipv6.disable=1"
to the kernel command line (as suggested in [1]), and when running
v5.1.0 or current libvirt master the default network can't be
started:
$ virsh net-start default
error: Failed to start network default
error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter
--insert LIBVIRT_INP --in-interface virbr0 --protocol tcp
--destination-port 67 --jump ACCEPT' failed: iptables: No
chain/target/match by that name.
After applying this patch, the default network comes up and works
just fine.
[1] https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6
--
Andrea Bolognani / Red Hat / Virtualization
More information about the libvir-list
mailing list