[libvirt-users] Networkfilters in Routed setup

h0rst h0rst at localh0rst.de
Tue Feb 18 13:31:25 UTC 2014


On Di, 2014-02-18 at 12:03 +0200, Laine Stump wrote:

> You *really* should upgrade to a newer libvirt.

I know that version 0.9.8 is very old. But to be honest i tried to avoid upgrading and compiling a newer version since i don't know if it has any effects on running VMs (but i haven't checked this yet).
Its a production server and i did not want to interrupt any services running on these VMs. However, i'm afraid that upgrading might be the only option if i want to avoid setting up iptables manually.

> Those previous two rules are the ones added when you specify a forward
> dev. You don't need to do that - I would recommend removing the
> "dev='eth0'" from the <forward> element of the network, along with the
> "<interface dev='eth0'/>" subelement. This won't change operation at
> all, it will just make things slightly less confusing and misleading.

Thank you for pointing this out. I just did that. And after a reboot everything is still working as expected (yes. I just DID interrupt the services running in my VMs. So i guess i could even upgrade to a newer libvirt =) )

> >
> > -A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX
> >
> > which should trigger the following rules:
> >
> > -A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT
> > -A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT
> > 
> > But this actually never happens. The FO-vnetX Chain never sees any packets and my syslog says:
> >
> > xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore

> That somehow sounded familiar, so I looked it up in the git history and
> found this:
> 
> http://libvirt.org/git/?p=libvirt.git;a=commit;h=65fb9d49cc9caae210977934b53d87e56429407b
> 
> That patch was included in libvirt-1.0.2, just about a year ago.

After reading that i remove the following iptables rule:

iptables -D libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX

and manually added this rule: (the patch said that adding an extra argument (--physdev-is-bridged) is needed for rules like this):

iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnetX -g FO-vnetX

Indeed this prevents my syslog from being spammed with the mentioned warning. However, this did not fix the problem. This rule never matches anything, and thus the FO-vnetX Chain never sees any packets. Using a testing rule like:

iptables -A libvirt-out -d 1.2.3.70 -g FO-vnetX

made everything work as expected. Well, this is definitely not the way it is expected to work since it does not do any "bridge port" matching. This all makes me think its not a libvirt specific problem and updating to a newer version will not fix my problem. Maybe there is somebody out there using a setup like mine and can show me the rules that a getting created with a newer version of libvirt?

So long, thank you for all the usefull information!

Kind regards,
Sebastian




More information about the libvirt-users mailing list