[libvirt-users] network interface management in bridge firewall configuration

Laine Stump laine at laine.org
Sun Jun 27 15:28:01 UTC 2010


  On 06/17/2010 11:01 AM, Aleksander Trofimowicz wrote:
> Hello,
>
> I'm just wondering why I can't manage my network interfaces  through
> libvirt when the following kernel parameters are turned on:
>
> net.bridge.bridge-nf-call-ip6tables
> net.bridge.bridge-nf-call-iptables
> net.bridge.bridge-nf-call-arptables
>
> Is it a bug or by design?

There should be no problems with this. The only place any of these are 
used in netcf is that net.bridge.bridge-nf-call-iptables is checked at 
one point, and if it's set to 1, an attempt is made to assure traffic 
can pass through all the bridges by parsing /etc/sysconfig/iptables and 
adding appropriate rules (see the function bridge_physdevs() in netcf if 
you're into looking at source code).

One thing that has shown up recently is that when 
bridge-nf-call-iptables is 1, if /etc/sysconfig/iptables is empty or 
malformed, netcf will fail to initialize. There have been a couple of 
bugs filed against RHEL for this, but they haven't yet been cloned 
upstream. Just to verify this is actually the problem, can you check 
your /etc/sysconfig/iptables to see if it is 0 length (and if so, put 
some basic rules in and try again)?





More information about the libvirt-users mailing list