| View previous topic :: View next topic |
| Author |
Message |
vitoriung
Apprentice
Joined: 21 May 2007
Posts: 158
Location: Prague, Czech Republic
|
 Posted: Tue Feb 02, 2010 2:31 pm Post subject: Libvirt overwrites the IPTABLES [solved] |
 |
|
Having following problem,
when starting libvirtd, it automatically creates following rules in the IPTABLES
| Code: | #iptables -L -v -n
Chain INPUT (policy ACCEPT 4910 packets, 596K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 132 packets, 24523 bytes)
pkts bytes target prot opt in out source destination
|
I'd need to access the guests from the network and need to remove both REJECT lines from the config to do so.
Only workaroud I have at the moment is -
| Code: |
# iptables-restore < ~/rules.save
|
I have tried to put this into the init script for libvirtd, but even if I put it as a second command, it is overwritten by a deamon:
| Code: |
start() {
ebegin "Starting libvirtd"
start-stop-daemon --start --quiet --exec /usr/sbin/libvirtd -- -d ${LIBVIRTD_OPTS}
eend $?
ebegin "Changing the iptable rules"
/sbin/iptables-restore < /root/rules.save.forward
eend $?
}
|
Could I set it up so it will change those rules every time I start or restart the daemon?
The problem is I can't figure out what mechanism write those rules, only know they look into the file /etc/sysctl.conf:
| Code: |
net.ipv4.ip_forward = 1
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Enable reverse path
net.ipv4.conf.all.rp_filter = 1
|
Thanks for any advice
Last edited by vitoriung on Wed Mar 17, 2010 7:02 pm; edited 1 time in total |
|
| Back to top |
|
 |
sipingal
n00b
Joined: 12 May 2008
Posts: 62
Location: China
|
| Posted: Wed Mar 17, 2010 5:46 pm Post subject: |
|
|
my solution:
1. modify /etc/init.d/iptables
| Code: | depend() {
before net libvirtd
use logger
}
|
2. before stop the daemon libvirtd, we should destroy the kvm network, change the /etc/init.d/libvirtd like below
added code:
| Code: |
depend() {
need net iptables
before sshd ntp-client ntpd nfs nfsmount rsyncd portmap dhcp
} |
| Code: | libvirtd_net_list() {
libvirtd_virsh net-list | grep active | awk '{ print $1 }'
} |
| Code: | for NET_ID in $(libvirtd_net_list); do
libvirtd_virsh net-destroy ${NET_ID} > /dev/null
done
|
the full script
| Code: | #!/sbin/runscript
opts="start stop status reload restart"
depend() {
need net iptables
before sshd ntp-client ntpd nfs nfsmount rsyncd portmap dhcp
}
libvirtd_virsh() {
# Silence errors because virsh always throws an error about
# not finding the hypervisor version when connecting to libvirtd
LC_ALL=C virsh -c qemu:///system "$@" 2>/dev/null
}
libvirtd_net_list() {
libvirtd_virsh net-list | grep active | awk '{ print $1 }'
}
libvirtd_dom_list() {
libvirtd_virsh list | grep running | awk '{ print $1 }'
}
libvirtd_dom_count() {
libvirtd_dom_list | wc -l
}
start() {
ebegin "Starting libvirtd"
start-stop-daemon --start --quiet --exec /usr/sbin/libvirtd -- -d ${LIBVIRTD_OPTS}
eend $?
}
stop() {
ebegin "Stopping libvirtd"
# try to shutdown all (KVM/Qemu) domains
DOM_COUNT="$(libvirtd_dom_count)"
if [ "${LIBVIRTD_KVM_SHUTDOWN}" = "yes" ] \
&& [ "${DOM_COUNT}" != "0" ] ; then
einfo " Shutting down domain(s):"
for DOM_ID in $(libvirtd_dom_list) ; do
NAME="$(libvirtd_virsh domname ${DOM_ID} | head -n 1)"
einfo " ${NAME}"
libvirtd_virsh shutdown ${DOM_ID} > /dev/null
done
if [ -n "${LIBVIRTD_KVM_SHUTDOWN_MAXWAIT}" ] ; then
COUNTER="${LIBVIRTD_KVM_SHUTDOWN_MAXWAIT}"
else
COUNTER=100
fi
einfo " Waiting ${COUNTER} seconds while domains shutdown ..."
DOM_COUNT="$(libvirtd_dom_count)"
while [ ${DOM_COUNT} -gt 0 ] && [ ${COUNTER} -gt 0 ] ; do
DOM_COUNT="$(libvirtd_dom_count)"
sleep 1
COUNTER=$((${COUNTER} - 1))
echo -n "."
done
DOM_COUNT="$(libvirtd_dom_count)"
if [ "${DOM_COUNT}" != "0" ] ; then
eerror " !!! Some guests are still running, stopping anyways"
fi
fi
for NET_ID in $(libvirtd_net_list); do
libvirtd_virsh net-destroy ${NET_ID} > /dev/null
done
start-stop-daemon --stop --quiet --exec /usr/sbin/libvirtd --pidfile=/var/run/libvirtd.pid
eend $?
}
reload() {
ebegin "Reloading libvirtd"
start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/libvirtd.pid --oknodo
eend $?
} |
|
|
| Back to top |
|
|
vitoriung
Apprentice
Joined: 21 May 2007
Posts: 158
Location: Prague, Czech Republic
|
| Posted: Wed Mar 17, 2010 7:01 pm Post subject: |
|
|
That is interesting, thanks for the advice.
However rather started using bridged networking over NAT, so don't bother with IPTables anymore.
I can at least mark this thread as solved.
Thanks |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Unsupported Software
