Aleksander Trofimowicz
2010-Jun-17 15:01 UTC
[libvirt-users] network interface management in bridge firewall configuration
Hello, I'm just wondering why I can't manage my network interfaces through libvirt when the following kernel parameters are turned on: net.bridge.bridge-nf-call-ip6tables net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-arptables Is it a bug or by design? If the latter, could someone explain me premises of such decision? I'm aware of security implications of mixing conntrack and bridge bits, so we can skip that point. This behaviour is noticeable when using: libvirt-0.8.1-1.fc13.x86_64 netcf-libs-0.1.6-1.fc13.x86_64 -- thanks, aleksander trofimowicz
Laine Stump
2010-Jun-27 15:28 UTC
[libvirt-users] network interface management in bridge firewall configuration
On 06/17/2010 11:01 AM, Aleksander Trofimowicz wrote:> Hello, > > I'm just wondering why I can't manage my network interfaces through > libvirt when the following kernel parameters are turned on: > > net.bridge.bridge-nf-call-ip6tables > net.bridge.bridge-nf-call-iptables > net.bridge.bridge-nf-call-arptables > > Is it a bug or by design?There should be no problems with this. The only place any of these are used in netcf is that net.bridge.bridge-nf-call-iptables is checked at one point, and if it's set to 1, an attempt is made to assure traffic can pass through all the bridges by parsing /etc/sysconfig/iptables and adding appropriate rules (see the function bridge_physdevs() in netcf if you're into looking at source code). One thing that has shown up recently is that when bridge-nf-call-iptables is 1, if /etc/sysconfig/iptables is empty or malformed, netcf will fail to initialize. There have been a couple of bugs filed against RHEL for this, but they haven't yet been cloned upstream. Just to verify this is actually the problem, can you check your /etc/sysconfig/iptables to see if it is 0 length (and if so, put some basic rules in and try again)?