[fedora-virt] Guest networking problem
Justin M. Forbes
jmforbes at linuxtx.org
Thu Apr 22 12:35:31 UTC 2010
On Thu, 2010-04-22 at 13:14 +0100, Adam Huffman wrote:
> On Thu, Apr 22, 2010 at 12:41 PM, Dor Laor <dlaor at redhat.com> wrote:
> > On 04/22/2010 12:45 PM, Adam Huffman wrote:
> >>
> >> On Thu, Apr 1, 2010 at 10:18 AM, Dor Laor<dlaor at redhat.com> wrote:
> >>>
> >>> On 03/31/2010 07:06 PM, Adam Huffman wrote:
> >>>>
> >>>> On Wed, Mar 31, 2010 at 11:31 AM, Tom Horsley<horsley1953 at gmail.com>
> >>>> wrote:
> >>>>>
> >>>>> On Wed, 31 Mar 2010 10:02:17 +0000
> >>>>> Adam Huffman wrote:
> >>>>>
> >>>>>> Is there a way of turning on extra logging to try and see what is (or
> >>>>>> isn't) happening?
> >>>
> >>> What's the nice type used? rtl/e1000/virtio (driver ver?)?
> >>>
> >>
> >> It's using the default - Realtek.
> >>
> >>>>>
> >>>>> I had similar stuff happen to machines I run due to the hopeless
> >>>>> timekeeping in virtual machines. The clock gets so far off in
> >>>>> the guest that it doesn't bother to renew the lease at what
> >>>>> the host thinks is the scheduled time (or vice-veras, I forget
> >>>>> which way the time was drifting).
> >>>
> >>> What's the guest? For winXp you should use the -rtc driftfix=slew
> >>>
> >>
> >> It is XP, though I'm not sure this is the cause - the clock time isn't
> >> skewed too badly.
> >>
> >> It appears to be related to iptables. If I add some rules to permit
> >> access to Samba on the host, the guest networking fails. Is there an
> >> "approved" way of permitting such Samba access?
> >
> > How do you do it? There is no reason for it to fail
> >
> This is what I tried:
>
> # Second attempt at local VM Samba access
> #-A INPUT -s 192.168.122.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
> #-A INPUT -s 192.168.122.0/24 -i vnet0 -p udp -m udp --dport 137:139 -j ACCEPT
> #-A INPUT -s 192.168.122.0/24 -i vnet0 -p tcp -m tcp --dport 137:139 -j ACCEPT
>
> When I uncommented and applied them, the guest lost its IP address.
> Happy to try other suggestions...
libvirt has no sane was of integrating with iptables
We previously tried using lokkit, but if the user had configured
iptables manually (i.e. without lokkit) we'd end up clobbering their
rules
We simply need a way to say to iptables "we've added these rules, please
load them when you restart" without overwriting the current
configuration. We also need lokkit/system-config-firewall to not
overwrite these rules when the user modifies the configuration
The whole sorry saga is well documented in bug #227011:
https://bugzilla.redhat.com/show_bug.cgi?id=227011
Justin
More information about the virt
mailing list