View previous topic :: View next topic |
Author |
Message |
difficultcho n00b
Joined: 15 Mar 2013 Posts: 14
|
Posted: Wed Jun 26, 2013 8:49 pm Post subject: kernel config for qemu-kvm |
|
|
Hi,
I updated my kernel from 3.5.7 to 3.9.7 lately. It seems I messed up my virtual network configuration.
I am using libvirt and virt-manager with qemu-kvm, and want to setup my virtual network in the NAT mode.
In a terminal, if I type:
Code: | virsh net-start default |
it returns:
Code: | error: Failed to start network default
error: failed to add iptables rule to block outbound traffic from 'virbr0' |
trying to start from virt-manager will get similar error as "network default is not active"
the drivers are compiled as kernel modules, and here is my lsmod results:
Quote: |
Module Size Used by
mmc_block 24767 0
ipt_rpfilter 1748 0
nls_cp950 100905 0
nls_cp936 123049 0
firewire_core 50556 0
nbd 9131 0
crc_itu_t 1275 1 firewire_core
sha256_generic 9981 0
virtio_pci 6552 0
virtio_net 17291 0
virtio_ring 4452 2 virtio_net,virtio_pci
virtio 3634 2 virtio_net,virtio_pci
p8022 1051 0
psnap 1821 0
xt_NETMAP 1604 0
xt_REDIRECT 1582 0
xt_nat 1721 0
iptable_nat 2694 0
nf_conntrack_ipv4 6142 1
nf_defrag_ipv4 1187 1 nf_conntrack_ipv4
nf_nat_ipv4 3416 1 iptable_nat
ipt_MASQUERADE 1682 0
nf_nat 11533 6 ipt_MASQUERADE,nf_nat_ipv4,xt_nat,xt_NETMAP,xt_REDIRECT,iptable_nat
nf_conntrack 45729 5 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4
ebtable_nat 1732 0
ebtables 16743 1 ebtable_nat
xt_tcpudp 2287 0
iptable_filter 1368 0
ip_tables 10142 2 iptable_filter,iptable_nat
x_tables 12898 9 ip_tables,xt_tcpudp,ipt_MASQUERADE,ipt_rpfilter,xt_nat,xt_NETMAP,iptable_filter,ebtables,xt_REDIRECT
bridge 81151 0
stp 1533 1 bridge
llc 3473 4 stp,p8022,psnap,bridge
ecb 1985 0
btusb 12060 0
sdhci_pci 9443 0
sdhci 22954 1 sdhci_pci
mmc_core 82763 2 mmc_block,sdhci
bluetooth 204439 18 btusb
thinkpad_acpi 59518 0
hid_logitech_dj 9940 0 |
Also, if I try to add an outbound rule to my iptables by
Code: |
iptables -A OUTPUT -p tcp --dport 22 -j DROP
|
It seems working to me.
So, may I ask what module am I missing in my kernel config? Thanks! |
|
Back to top |
|
|
difficultcho n00b
Joined: 15 Mar 2013 Posts: 14
|
Posted: Tue Jul 02, 2013 10:45 pm Post subject: solve it by brute force |
|
|
I tried some brute force method, which means to enable all options, and see if libvirt may start. And then reduce options gradually.
It turns out that:
networking support -->
networking options -->
network package filtering framework -->
netfilter configuration -->
packet filtering
REJECT target support
is the one I missed. It has a (NEW) marked on it, so I thought it wasn't a critical option. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|