libvirt users - Sep 2012 - Inconsistent iptables forwarding rules for virtual networks?

Hi everyone.

Those are the iptables forwarding rules associated with the two virtual networks
on my machine:

-----------------------------------------------------------------------------------------
-A FORWARD -d 192.168.100.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -s 192.168.100.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-----------------------------------------------------------------------------------------

Using this setup I can ping from a guest on 192.168.100.0/24 to a guest on 
192.168.122.0/24, however the reverse is not possible (I get 'port
unreachable'
icmp messages).  This is caused by the fourth rule, which rejects packets 
forwarded to virbr1.

Moving the fourth rule to the end, obviously eliminates this problem.

So, is this default setup intentional for some reason, or should the rules just 
be rearranged by libvirt, so that any rule on the FORWARD chain which has a 
REJECT target (which reject forwarding "to" some virtual interface)
would go to
the end of the chain, and thus, allowing the virtual networks to reach each 
other by default?

Thanks.


	Marwan

Hi Marwan,
I remember libvirt has a similar bug, but I forgot bug number, Laine can help
confirm this, could you provide your libvirt version? thanks.

-- 
Regards,     
Alex


----- Original Message -----
From: "Marwan Tanager" <marwan.tngr at gmail.com>
To: libvirt-users at redhat.com
Sent: Wednesday, September 26, 2012 11:18:35 AM
Subject: [libvirt-users] Inconsistent iptables forwarding rules for virtual
networks?

Hi everyone.

Those are the iptables forwarding rules associated with the two virtual networks
on my machine:

-----------------------------------------------------------------------------------------
-A FORWARD -d 192.168.100.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -s 192.168.100.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-----------------------------------------------------------------------------------------

Using this setup I can ping from a guest on 192.168.100.0/24 to a guest on 
192.168.122.0/24, however the reverse is not possible (I get 'port
unreachable'
icmp messages).  This is caused by the fourth rule, which rejects packets 
forwarded to virbr1.

Moving the fourth rule to the end, obviously eliminates this problem.

So, is this default setup intentional for some reason, or should the rules just 
be rearranged by libvirt, so that any rule on the FORWARD chain which has a 
REJECT target (which reject forwarding "to" some virtual interface)
would go to
the end of the chain, and thus, allowing the virtual networks to reach each 
other by default?

Thanks.


	Marwan

_______________________________________________
libvirt-users mailing list
libvirt-users at redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users