[fedora-virt] Libvirt integration with firewalld
Daniel P. Berrange
berrange at redhat.com
Tue May 5 13:36:48 UTC 2015
On Mon, May 04, 2015 at 09:24:45PM -0500, Dan Mossor wrote:
> Is there any work underway to get the libvirt firewall tools ported to
> firewalld? I've been seeing this since F21, but it seems to have gotten
> worse on F22. Every time I boot the system or restart firewalld.service, I
> get a lot of errors from the libvirt rules pumped into the journal. These
> errors imply that the firewall isn't really being configured properly for
> virtual machines on the host.
Libvirt is already ported to use firewalld. The problem is that the firewalld
API gives libvirt no way to tell firewalld that certain commands are
*expected* to fail and that is ok. Firewalld just blindly logs all errors
in its log file, regardless of whether the application using firewalld
actually considers them to be errors. THis is why you end up with all these
error messages about --delete commands failing.
> May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38 ERROR:
> COMMAND_FAILED: '/sbin/iptables -w -w --table mangle --delete POSTROUTING
> --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM
> --checksum-fill' failed: iptables: No chain/target/match by that name.
> May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38 ERROR:
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the virt
mailing list