Bug 1591017
Summary: | nwfilter blocks all network traffic when "clean-traffic" filter is applied to guest interface. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Laine Stump <laine> | ||||
Component: | libvirt | Assignee: | Laine Stump <laine> | ||||
Status: | CLOSED ERRATA | QA Contact: | yalzhang <yalzhang> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.5 | CC: | dyuan, laine, lmen, xuzhang | ||||
Target Milestone: | rc | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | libvirt-4.5.0-1.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-30 09:56:58 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Laine Stump
2018-06-13 22:17:35 UTC
I can reproduce on libvirt-4.4.0-1.el7.x86_64 1. start a guest with interface as below: # virsh dumpxml rhel | grep /interface -B8 <interface type='network'> <mac address='52:54:00:f5:10:1e'/> <source network='default' bridge='virbr0'/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='clean-traffic'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x0c' function='0x0'/> </interface> 2. on guest, run "#dhclient" but it can not get ip address, on host, check the ebtables as below: # ebtables -t nat -L Bridge table: nat Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0 Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0 Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN Bridge chain: libvirt-I-vnet0, entries: 1, policy: ACCEPT -j DROP Bridge chain: libvirt-O-vnet0, entries: 1, policy: ACCEPT -j DROP The filter will drop all input or output traffic for the guest. Created attachment 1454951 [details]
Take a look
Comment on attachment 1454951 [details]
Take a look
This attachment was apparently added to the BZ erroneously, as it isn't related.
Test on libvirt-4.5.0-1.el7.x86_64, the result is as expected 1. start a guest with interface as below: # virsh dumpxml rhelq | grep /interface -B8 <interface type='network'> <mac address='52:54:00:4d:f0:70'/> <source network='default' bridge='virbr0'/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='clean-traffic'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> </interface> 2. login guest, check the network works well # ip a show eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:4d:f0:70 brd ff:ff:ff:ff:ff:ff inet 192.168.122.236/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0 valid_lft 3499sec preferred_lft 3499sec inet6 fe80::5054:ff:fe4d:f070/64 scope link noprefixroute valid_lft forever preferred_lft forever # ping www.baidu.com -c 2 PING www.a.shifen.com (119.75.213.50) 56(84) bytes of data. 64 bytes from 119.75.213.50 (119.75.213.50): icmp_seq=1 ttl=49 time=2.76 ms 64 bytes from 119.75.213.50 (119.75.213.50): icmp_seq=2 ttl=49 time=15.1 ms --- www.a.shifen.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 2.762/8.938/15.115/6.177 ms 3. on host, check the ebtables rules, the guest ip address is learned correctly # ebtables -t nat -L Bridge table: nat Bridge chain: PREROUTING, entries: 1, policy: ACCEPT -i vnet0 -j libvirt-I-vnet0 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT -o vnet0 -j libvirt-O-vnet0 Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT -j I-vnet0-mac -p IPv4 -j I-vnet0-ipv4-ip -p IPv4 -j ACCEPT -p ARP -j I-vnet0-arp-mac -p ARP -j I-vnet0-arp-ip -p ARP -j ACCEPT -p 0x8035 -j I-vnet0-rarp -p 0x835 -j ACCEPT -j DROP Bridge chain: libvirt-O-vnet0, entries: 4, policy: ACCEPT -p IPv4 -j O-vnet0-ipv4 -p ARP -j ACCEPT -p 0x8035 -j O-vnet0-rarp -j DROP Bridge chain: I-vnet0-mac, entries: 2, policy: ACCEPT -s 52:54:0:4d:f0:70 -j RETURN -j DROP Bridge chain: I-vnet0-ipv4-ip, entries: 3, policy: ACCEPT -p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN -p IPv4 --ip-src 192.168.122.236 -j RETURN -j DROP Bridge chain: O-vnet0-ipv4, entries: 1, policy: ACCEPT -j ACCEPT Bridge chain: I-vnet0-arp-mac, entries: 2, policy: ACCEPT -p ARP --arp-mac-src 52:54:0:4d:f0:70 -j RETURN -j DROP Bridge chain: I-vnet0-arp-ip, entries: 2, policy: ACCEPT -p ARP --arp-ip-src 192.168.122.236 -j RETURN -j DROP Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 52:54:0:4d:f0:70 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:4d:f0:70 --arp-mac-dst 52:54:0:4d:f0:70 -j ACCEPT -j DROP Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 52:54:0:4d:f0:70 --arp-mac-dst 52:54:0:4d:f0:70 -j ACCEPT -j DROP Hi lanie, there is a bug about nwfilter and I think it may related with recent nwfilter changes. Could you please help to check? Thank you! Bug 1598311 - Error message is weird when there is no enough pci slot for hotplug interface Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3113 |