1:58 p.m.
Hi All,
I noticed that if I turn on the libvirtd service via chkconfig it ends up
breaking my iptables by adding duplicated rules.
For you to have an idea here's the output of iptables-save -c after a reboot
with libvirtd off:
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:34:39 2010
*nat
:PREROUTING ACCEPT [21:7584]
:POSTROUTING ACCEPT [21:1673]
:OUTPUT ACCEPT [21:1673]
[0:0] -A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.122.118
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Jan 25 19:34:39 2010
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:34:39 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:11066]
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
[41:23909] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p icmp -j ACCEPT
[2:120] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 11201 -j ACCEPT
[36:6884] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 25 19:34:39 2010
and this is the output of the same command after a reboot with libvirtd on:
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:46:03 2010
*nat
:PREROUTING ACCEPT [6:965]
:POSTROUTING ACCEPT [50:3703]
:OUTPUT ACCEPT [52:4038]
[0:0] -A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.122.118
[1:295] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j
MASQUERADE
[1:40] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j
MASQUERADE
COMMIT
# Completed on Mon Jan 25 19:46:03 2010
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:46:03 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [338:37036]
[1:74] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[1:328] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
[190:99034] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p icmp -j ACCEPT
[2:120] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 11201 -j ACCEPT
[78:13517] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 25 19:46:03 2010
As you can see when the libvirtd daemon is up I end up with a number of
duplicated entries ...
this is then content of /etc/sysconfig/iptables in both cases:
# Generated by iptables-save v1.4.5 on Thu Jan 21 19:54:46 2010
*nat
:PREROUTING ACCEPT [24306:3491836]
:POSTROUTING ACCEPT [17614:1213585]
:OUTPUT ACCEPT [16779:1092505]
-A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.122.118
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 21 19:54:46 2010
# Generated by iptables-save v1.4.5 on Thu Jan 21 19:54:46 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [544711:383016639]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT
-A INPUT -p udp -m udp --dport 11201 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jan 21 19:54:46 2010
Has anyone experienced this? Is there another file that libvirtd uses to
manipulate iptables?
Thanks in advance,
Daniel
4:26 p.m.
On Mon, 25 Jan 2010 19:58:05 +0000
Daniel Sanabria wrote:
Has anyone experienced this? Is there another file that libvirtd uses
to
manipulate iptables?
As near as I can tell, libvirtd just always installs the rules
it thinks it needs to run its "default" network. I get rid of the
default network like so:
virsh net-destroy default
virsh net-undefine default
and the next time I boot, the nasty iptables and dnsmasq stuff
doesn't start (of course, you can't use the default network
for virtual machines either, but I like to use my own
bridge definition for the network, so I'm OK with that).
4:46 p.m.
On Mon, Jan 25, 2010 at 07:58:05PM +0000, Daniel Sanabria wrote:
Hi All,
I noticed that if I turn on the libvirtd service via chkconfig it ends up
breaking my iptables by adding duplicated rules.
Has anyone experienced this? Is there another file that libvirtd uses to
manipulate iptables?
libvirt has no sane was of integrating with iptables
We simply need a way to say to iptables "we've added these rules, please
load them when you restart" without overwriting the current configuration.
We also need lokkit/system-config-firewall to not overwrite these rules when
the user modifies the configuration.
The whole sorry saga is well documented in bug #227011
Justin
3:21 p.m.
Thanks Tom, Justin,
Bug #227011 explains what I'm experiencing.
This technology has great potential to be used in mission-critical systems,
but issues like this one might be holding back its success.
I hope a suitable solution can be found soon ...
Thanks again,
Daniel
2010/1/25 Justin M. Forbes <jmforbes(a)linuxtx.org>
On Mon, Jan 25, 2010 at 07:58:05PM +0000, Daniel Sanabria wrote:
> Hi All,
>
> I noticed that if I turn on the libvirtd service via chkconfig it ends up
> breaking my iptables by adding duplicated rules.
>
>
> Has anyone experienced this? Is there another file that libvirtd uses to
> manipulate iptables?
>
libvirt has no sane was of integrating with iptables
We simply need a way to say to iptables "we've added these rules, please
load them when you restart" without overwriting the current configuration.
We also need lokkit/system-config-firewall to not overwrite these rules
when
the user modifies the configuration.
The whole sorry saga is well documented in bug #227011
Justin
5197
days inactive
5198
days old
3 comments
3 participants
participants (3)
-
Daniel Sanabria -
Justin Forbes -
Tom Horsley