[fedora-virt] Guest networking problem

Adam Huffman adam.huffman at gmail.com
Thu Apr 22 14:36:55 UTC 2010 

On Thu, Apr 22, 2010 at 1:35 PM, Justin M. Forbes <jmforbes at linuxtx.org> wrote:
> On Thu, 2010-04-22 at 13:14 +0100, Adam Huffman wrote:
>> On Thu, Apr 22, 2010 at 12:41 PM, Dor Laor <dlaor at redhat.com> wrote:
>> > On 04/22/2010 12:45 PM, Adam Huffman wrote:
>> >>
>> >> On Thu, Apr 1, 2010 at 10:18 AM, Dor Laor<dlaor at redhat.com>  wrote:
>> >>>
>> >>> On 03/31/2010 07:06 PM, Adam Huffman wrote:
>> >>>>
>> >>>> On Wed, Mar 31, 2010 at 11:31 AM, Tom Horsley<horsley1953 at gmail.com>
>> >>>>  wrote:
>> >>>>>
>> >>>>> On Wed, 31 Mar 2010 10:02:17 +0000
>> >>>>> Adam Huffman wrote:
>> >>>>>
>> >>>>>> Is there a way of turning on extra logging to try and see what is (or
>> >>>>>> isn't) happening?
>> >>>
>> >>> What's the nice type used? rtl/e1000/virtio (driver ver?)?
>> >>>
>> >>
>> >> It's using the default - Realtek.
>> >>
>> >>>>>
>> >>>>> I had similar stuff happen to machines I run due to the hopeless
>> >>>>> timekeeping in virtual machines. The clock gets so far off in
>> >>>>> the guest that it doesn't bother to renew the lease at what
>> >>>>> the host thinks is the scheduled time (or vice-veras, I forget
>> >>>>> which way the time was drifting).
>> >>>
>> >>> What's the guest? For winXp you should use the -rtc driftfix=slew
>> >>>
>> >>
>> >> It is XP, though I'm not sure this is the cause - the clock time isn't
>> >> skewed too badly.
>> >>
>> >> It appears to be related to iptables.  If I add some rules to permit
>> >> access to Samba on the host, the guest networking fails.  Is there an
>> >> "approved" way of permitting such Samba access?
>> >
>> > How do you do it? There is no reason for it to fail
>> >
>> This is what I tried:
>>
>> # Second attempt at local VM Samba access
>> #-A INPUT -s 192.168.122.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
>> #-A INPUT -s 192.168.122.0/24 -i vnet0 -p udp -m udp --dport 137:139 -j ACCEPT
>> #-A INPUT -s 192.168.122.0/24 -i vnet0 -p tcp -m tcp --dport 137:139 -j ACCEPT
>>
>> When I uncommented and applied them, the guest lost its IP address.
>> Happy to try other suggestions...
>
> libvirt has no sane was of integrating with iptables
>
> We previously tried using lokkit, but if the user had configured
> iptables manually (i.e. without lokkit) we'd end up clobbering their
> rules
>
> We simply need a way to say to iptables "we've added these rules, please
> load them when you restart" without overwriting the current
> configuration. We also need lokkit/system-config-firewall to not
> overwrite these rules when the user modifies the configuration
>
> The whole sorry saga is well documented in bug #227011:
> https://bugzilla.redhat.com/show_bug.cgi?id=227011
>
> Justin
>

In the meantime, any guidance on how I can do this manually would be
greatly appreciated...

Adam

More information about the virt mailing list