On 9/2/19 10:31 AM, Francesc Guasch wrote:> Hi. First of all thank you for the work you are doing with libvirt.
> I am not sure this is the right place to ask, I'd appreciate
> if you can give me any hint or directions.
>
> I have several similar KVM Linux boxes and one of them has a really
> strange behavior with the KVM NAT: It just suddenly stops from
> working.
>
> This is a Linux Ubuntu Server 19.04 with
> ?- libvirt-bin 4.0.0
> ?- qemu-kvm 1:2.11
>
> Everything works fine and then suddenly the virtual machines
> can't reach outside. If I run a tcpdump in the host I see
> the NAT isn't working.
>
> When the server just boots I can see the packets with the
> server address going out:
>
> ??? x.y.z.w.49138 > 8.8.8.8.53
>
> Then, it may be some hours or days later, instead the server
> address I see the internal domains address:
>
>
> ??? 192.168.122.33.19132 > 8.8.8.8.53
> ??? ^^^^^^^^^^^^^^
>
> I try to restart the iptables but it won't help.
>
> Any hints ? Thank you very much
1) On a freshly booted machine with running clients connected to
libvirt's default network (and successfully sending/receiving traffic,
of course :-), get a dump of all active iptables rules with
iptables-save >iptables-working.txt
2) At whatever later time when you notice that the NAT is no longer
working properly, get another dump of all the rules with
iptables-save >iptables-broken.txt
and compare those two files to see what has changed.
Most likely some other piece of software (a firewall management utility
maybe?) has loaded a new rule that takes precedence over one of the
rules added by libvirt.
If seeing the rule that was added doesn't point you at the culprit, you
can see if restarting libvirtd will fix your problem - whenever libvirtd
is restarted, all iptables rules associated with libvirt's virtual
networks are reloaded (which will put them back at the beginning of the
chain, thus fixing any broken precedence).