[libvirt-users] Issues with nwfilter rules
Kevin
libvirt at allyourspam.arebelongtous.com
Sat Dec 10 07:48:55 UTC 2011
Hi All,
I have two kvm guests running with a bridged configuration bound
separately to br0 and br1 on my Fedora 15 host. I'm attempting to create
some nwfilter rules on br1 and am running into a bunch of problems that
have me scratching my head.
libvirt version: 0.8.8-7
What I've noticed on the second host is as follows:
- Most all nwfilter rules that I create for the host on br1 don't
work as I would expect. If I create a rule for TCP dest port 22
with direction set to 'in', I would expect I could connect to the
host via SSH from another host, but I only see a SYN and not a full
connection. If I set the direction to 'inout', SSH seems to work.
- A nwfilter rule for UDP dest port 53 with direction set to 'out' or
'inout' doesn't allow lookups to an outside DNS server.
- In the configuration of one VM, the source Virtual network device
lists "Host device vnet0 (Bridge 'br0') and the other lists "Host
device eth1 (Bridge 'br1')". I don't see anything different in the
two hosts XML configuration files that describe the difference, but
I'm concerned that the second VM on br1 is misconfigured.
I notice a few iptables rules with "PHYSDEV match --physdev-in vnet1"
listed in them, should these really read "PHYSDEV match --physdev-in br1"
given the configuration virt-manager is reporting?
I would appreciate any pointers.
-Kevin
More information about the libvirt-users
mailing list