Patrick Chemla
2014-Mar-05 15:14 UTC
[libvirt-users] fedora 19 + libvirt-1.0.5.9 routing problems
Hi, I am an experienced libvirt user on Fedora versions from F15 to F17. I have developped scripts to route trafic from outside on multiple interfaces/multiples IPs to multiple VMs, and back to affect each VM the required external IP address. I have servers with more than hundreds external IPs, and up to 4 VMs, each of them route trafic on different external IPs. I have servers with Fedora F17 which work very fine with this. Now libvirt-1.0.5.9 comes to Fedora 19 with many iptables default rules that refrain me to use my scripts. So I put in /etc/libvirt/hooks /qemu the right rules to get trafic to my VMs, but I can't set trafic back to external with the right external IP. The -j SNAT --to-source ot -j MASQUERADE dont work, are ignored, and I dont see any packet through these rules in iptables -tnat -L POSTROUTING. I used tcpdump to trace packet on the physical server on virbr0 interface and on eth0 interface. I see the packets on outgoing route. But, the ougoing packets are presented to the external interface with the internal address 10.0.0.x instead of the address specified in the -j SNAT rule. Am I the only one in this case? Somebody could help? Thanks Patrick
Patrick Chemla
2014-Mar-05 15:48 UTC
Re: [libvirt-users] fedora 19 + libvirt-1.0.5.9 routing problems
Hi, I Googled a little more and found firewalld has created the basic rules on fc19. Does someone use libvirt with many vms on many external ips with firewalld? Would you advise to better remove firewalld and work with my own scripts? Thanks Patrick On 5 mars 2014 17:14:27 GMT+02:00, Patrick Chemla <patrick.chemla@performance-managers.com> wrote:>Hi, > >I am an experienced libvirt user on Fedora versions from F15 to F17. > >I have developped scripts to route trafic from outside on multiple >interfaces/multiples IPs to multiple VMs, and back to affect each VM >the >required external IP address. > >I have servers with more than hundreds external IPs, and up to 4 VMs, >each of them route trafic on different external IPs. > >I have servers with Fedora F17 which work very fine with this. > >Now libvirt-1.0.5.9 comes to Fedora 19 with many iptables default rules > >that refrain me to use my scripts. > >So I put in /etc/libvirt/hooks /qemu the right rules to get trafic to >my >VMs, but I can't set trafic back to external with the right external >IP. > >The -j SNAT --to-source ot -j MASQUERADE dont work, are ignored, and I >dont see any packet through these rules in iptables -tnat -L >POSTROUTING. > >I used tcpdump to trace packet on the physical server on virbr0 >interface and on eth0 interface. I see the packets on outgoing route. > >But, the ougoing packets are presented to the external interface with >the internal address 10.0.0.x instead of the address specified in the >-j >SNAT rule. > > >Am I the only one in this case? > >Somebody could help? > >Thanks >Patrick-- Envoyé de mon téléphone Android avec K-9 Mail. Excusez la brièveté. ------D4D26EOZC7UG6TXRM7NBJ3QROSR53D Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html><head></head><body>Hi,<br> <br> I Googled a little more and found firewalld has created the basic rules on fc19.<br> <br> Does someone use libvirt with many vms on many external ips with firewalld?<br> <br> Would you advise to better remove firewalld and work with my own scripts?<br> <br> Thanks<br> Patrick<br><br><div class="gmail_quote">On 5 mars 2014 17:14:27 GMT+02:00, Patrick Chemla <patrick.chemla@performance-managers.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class="k9mail">Hi,<br /><br />I am an experienced libvirt user on Fedora versions from F15 to F17.<br /><br />I have developped scripts to route trafic from outside on multiple <br />interfaces/multiples IPs to multiple VMs, and back to affect each VM the <br />required external IP address.<br /><br />I have servers with more than hundreds external IPs, and up to 4 VMs, <br />each of them route trafic on different external IPs.<br /><br />I have servers with Fedora F17 which work very fine with this.<br /><br />Now libvirt-<a href="http://1.0.5.9">1.0.5.9</a> comes to Fedora 19 with many iptables default rules <br />that refrain me to use my scripts.<br /><br />So I put in /etc/libvirt/hooks /qemu the right rules to get trafic to my <br />VMs, but I can't set trafic back to external with the right external IP.<br /><br />The -j SNAT --to-source ot -j MASQUERADE dont work, are ignored, and I <br />dont see any packet through these rules in iptables -tnat -L POSTROUTING.! <br /><br />I used tcpdump to trace packet on the physical server on virbr0 <br />interface and on eth0 interface. I see the packets on outgoing route.<br /><br />But, the ougoing packets are presented to the external interface with <br />the internal address 10.0.0.x instead of the address specified in the -j <br />SNAT rule.<br /><br /><br />Am I the only one in this case?<br /><br />Somebody could help?<br /><br />Thanks<br />Patrick<br /><br /></pre></blockquote></div><br> -- <br> Envoyé de mon téléphone Android avec K-9 Mail. Excusez la brièveté.</body></html> ------D4D26EOZC7UG6TXRM7NBJ3QROSR53D--