Bug 1072292
Summary: | Libvirt report incorrect message when starting domain with nwfilter whose chain priority is greater than its filter rule priority | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Hu Jianwei <jiahu> | |
Component: | libvirt | Assignee: | Laine Stump <laine> | |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
Severity: | low | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.0 | CC: | dyuan, gsun, honzhang, laine, mzhan, rbalakri, stefanb | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | libvirt-1.2.7-1.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1210183 (view as bug list) | Environment: | ||
Last Closed: | 2015-03-05 07:30:57 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Hu Jianwei
2014-03-04 10:23:21 UTC
The fix for this issue has now been pushed to the upstream repo: commit 5a2b17beb89c648db5d8e145615b4e8128c7bd8b Author: Stefan Berger <stefanb.ibm.com> Date: Thu Mar 13 18:30:09 2014 -0400 nwfilter: Fix rule priority problem Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1072292 Fix a problem related to rule priorities that did not allow to have rules applied that had a higher priority than the chain they were in. In this case the chain did not exist yet when the rule was instantiated. The solution is to adjust the priority of rules if the priority of the chain is of higher value. That way the chain will be created before the rule. Signed-off-by: Stefan Berger <stefanb.ibm.com> Verified the bug as below: [root@ibm-x3850x5-06 ~]# rpm -q libvirt libvirt-1.2.8-7.el7.x86_64 [root@ibm-x3850x5-06 ~]# virsh nwfilter-dumpxml my <filter name='my' chain='arp-jiahu' priority='-500'> <uuid>f280dd7d-32f6-4c5c-a64f-be28ebbb8a53</uuid> <rule action='accept' direction='inout' priority='-501'/> </filter> [root@ibm-x3850x5-06 ~]# virsh dumpxml r7 | grep /interface -B6 <interface type='network'> <mac address='02:54:00:36:c6:d0'/> <source network='default'/> <model type='virtio'/> <filterref filter='my'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> [root@ibm-x3850x5-06 ~]# virsh start r7 Domain r7 started [root@ibm-x3850x5-06 ~]# ebtables -t nat -L Bridge table: nat Bridge chain: PREROUTING, entries: 1, policy: ACCEPT -i vnet0 -j libvirt-I-vnet0 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT -o vnet0 -j libvirt-O-vnet0 Bridge chain: libvirt-I-vnet0, entries: 1, policy: ACCEPT -p ARP -j I-vnet0-arp-jiahu Bridge chain: libvirt-O-vnet0, entries: 1, policy: ACCEPT -p ARP -j O-vnet0-arp-jiahu Bridge chain: I-vnet0-arp-jiahu, entries: 1, policy: ACCEPT -j ACCEPT Bridge chain: O-vnet0-arp-jiahu, entries: 1, policy: ACCEPT -j ACCEPT The domain with such nwfilter can boot up normally, moved to Verified. This is fixed on rhel7 and upstream, but still exist on rhel6. Tested with exact step on: libvirt-0.10.2-46.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0323.html |