Hi All,
I noticed that if I turn on the libvirtd service via chkconfig it ends up breaking my iptables by adding duplicated rules.
For you to have an idea here's the output of iptables-save -c after a reboot with libvirtd off:
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:34:39 2010 *nat :PREROUTING ACCEPT [21:7584] :POSTROUTING ACCEPT [21:1673] :OUTPUT ACCEPT [21:1673] [0:0] -A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.118 [0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT # Completed on Mon Jan 25 19:34:39 2010 # Generated by iptables-save v1.4.5 on Mon Jan 25 19:34:39 2010 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [105:11066] [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT [41:23909] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -p icmp -j ACCEPT [2:120] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT [0:0] -A INPUT -p udp -m udp --dport 11201 -j ACCEPT [36:6884] -A INPUT -j REJECT --reject-with icmp-host-prohibited [0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT [0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT [0:0] -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Jan 25 19:34:39 2010
and this is the output of the same command after a reboot with libvirtd on:
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:46:03 2010 *nat :PREROUTING ACCEPT [6:965] :POSTROUTING ACCEPT [50:3703] :OUTPUT ACCEPT [52:4038] [0:0] -A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.118 [1:295] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE [1:40] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE COMMIT # Completed on Mon Jan 25 19:46:03 2010 # Generated by iptables-save v1.4.5 on Mon Jan 25 19:46:03 2010 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [338:37036] [1:74] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT [1:328] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT [0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT [190:99034] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -p icmp -j ACCEPT [2:120] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT [0:0] -A INPUT -p udp -m udp --dport 11201 -j ACCEPT [78:13517] -A INPUT -j REJECT --reject-with icmp-host-prohibited [0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT [0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT [0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT [0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT [0:0] -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable [0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Jan 25 19:46:03 2010
As you can see when the libvirtd daemon is up I end up with a number of duplicated entries ...
this is then content of /etc/sysconfig/iptables in both cases:
# Generated by iptables-save v1.4.5 on Thu Jan 21 19:54:46 2010 *nat :PREROUTING ACCEPT [24306:3491836] :POSTROUTING ACCEPT [17614:1213585] :OUTPUT ACCEPT [16779:1092505] -A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.118 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE COMMIT # Completed on Thu Jan 21 19:54:46 2010 # Generated by iptables-save v1.4.5 on Thu Jan 21 19:54:46 2010 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [544711:383016639] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT -A INPUT -p udp -m udp --dport 11201 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jan 21 19:54:46 2010
Has anyone experienced this? Is there another file that libvirtd uses to manipulate iptables?
Thanks in advance,
Daniel
On Mon, 25 Jan 2010 19:58:05 +0000 Daniel Sanabria wrote:
Has anyone experienced this? Is there another file that libvirtd uses to manipulate iptables?
As near as I can tell, libvirtd just always installs the rules it thinks it needs to run its "default" network. I get rid of the default network like so:
virsh net-destroy default virsh net-undefine default
and the next time I boot, the nasty iptables and dnsmasq stuff doesn't start (of course, you can't use the default network for virtual machines either, but I like to use my own bridge definition for the network, so I'm OK with that).
On Mon, Jan 25, 2010 at 07:58:05PM +0000, Daniel Sanabria wrote:
Hi All,
I noticed that if I turn on the libvirtd service via chkconfig it ends up breaking my iptables by adding duplicated rules.
Has anyone experienced this? Is there another file that libvirtd uses to manipulate iptables?
libvirt has no sane was of integrating with iptables
We simply need a way to say to iptables "we've added these rules, please load them when you restart" without overwriting the current configuration. We also need lokkit/system-config-firewall to not overwrite these rules when the user modifies the configuration.
The whole sorry saga is well documented in bug #227011
Justin
Thanks Tom, Justin,
Bug #227011 explains what I'm experiencing.
This technology has great potential to be used in mission-critical systems, but issues like this one might be holding back its success.
I hope a suitable solution can be found soon ...
Thanks again,
Daniel
2010/1/25 Justin M. Forbes jmforbes@linuxtx.org
On Mon, Jan 25, 2010 at 07:58:05PM +0000, Daniel Sanabria wrote:
Hi All,
I noticed that if I turn on the libvirtd service via chkconfig it ends up breaking my iptables by adding duplicated rules.
Has anyone experienced this? Is there another file that libvirtd uses to manipulate iptables?
libvirt has no sane was of integrating with iptables
We simply need a way to say to iptables "we've added these rules, please load them when you restart" without overwriting the current configuration. We also need lokkit/system-config-firewall to not overwrite these rules when the user modifies the configuration.
The whole sorry saga is well documented in bug #227011
Justin