Bug 1683174
Summary: | default bridge network does not start | ||||||
---|---|---|---|---|---|---|---|
Product: | [Community] Virtualization Tools | Reporter: | Satheesh Rajendran <sathnaga> | ||||
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> | ||||
Status: | CLOSED NOTABUG | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | unspecified | CC: | berrange, libvirt-maint, michele.mase, redhat, sathnaga, tburke | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | ppc64le | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-02-27 09:16:22 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Satheesh Rajendran
2019-02-26 11:57:52 UTC
(In reply to Satheesh Rajendran from comment #0) > Description of problem: > > Can't start default(virbr0) network > > #virsh net-start default > error: Failed to start network default > error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert > LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 > --jump ACCEPT' failed: iptables: No chain/target/match by that name. That is complaining that LIBVIRT_INP chain doesn't exist. This is something libvirt will create at startup. If it is missing it suggests someone or something has deleted libvirt's chains. Did you manually restart firewall init script, or have you restarted firewalld or otherwise caused firewall to be flushed ? Restarting libvirtd service should probably fix it. (In reply to Daniel Berrange from comment #1) > (In reply to Satheesh Rajendran from comment #0) > > Description of problem: > > > > Can't start default(virbr0) network > > > > #virsh net-start default > > error: Failed to start network default > > error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert > > LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 > > --jump ACCEPT' failed: iptables: No chain/target/match by that name. > > That is complaining that LIBVIRT_INP chain doesn't exist. This is something > libvirt will create at startup. If it is missing it suggests someone or > something has deleted libvirt's chains. Did you manually restart firewall > init script, or have you restarted firewalld or otherwise caused firewall to > be flushed ? > > Restarting libvirtd service should probably fix it. Did try that, no help # service libvirtd restart Redirecting to /bin/systemctl restart libvirtd.service [root@ltc-test-ci2 ~]# [ 2244.452873] virbr0: port 1(virbr0-nic) entered blocking state [ 2244.452897] virbr0: port 1(virbr0-nic) entered disabled state [ 2244.452974] device virbr0-nic entered promiscuous mode [ 2244.563753] device virbr0-nic left promiscuous mode [ 2244.563780] virbr0: port 1(virbr0-nic) entered disabled state # virsh net-list --all Name State Autostart Persistent ---------------------------------------------- default inactive yes yes # virsh net-start default [ 2281.761768] virbr0: port 1(virbr0-nic) entered blocking state [ 2281.761792] virbr0: port 1(virbr0-nic) entered disabled state [ 2281.761878] device virbr0-nic entered promiscuous mode [ 2281.861972] device virbr0-nic left promiscuous mode [ 2281.861996] virbr0: port 1(virbr0-nic) entered disabled state error: Failed to start network default error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name. # service libvirtd status Redirecting to /bin/systemctl status libvirtd.service ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor pr> Active: active (running) since Tue 2019-02-26 07:11:36 EST; 1min 17s ago Docs: man:libvirtd(8) https://libvirt.org Main PID: 140411 (libvirtd) Memory: 72.1M CGroup: /system.slice/libvirtd.service └─140411 /usr/sbin/libvirtd Feb 26 07:11:35 x.x.x.x systemd[1]: Starting Virtualiz> Feb 26 07:11:36 x.x.x.x systemd[1]: Started Virtualiza> # service firewalld status Redirecting to /bin/systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2019-02-26 06:35:40 EST; 45min ago Docs: man:firewalld(1) Main PID: 9613 (firewalld) Memory: 149.5M CGroup: /system.slice/firewalld.service └─9613 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --destination 192.16> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --source 192.168.122> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --out-interface virb> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT --out-interface virb> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr> Can you provide the output of "iptables-save" when this error occurs.. # iptables-save # Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Tue Feb 26 07:46:26 2019 # Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019 *mangle :PREROUTING ACCEPT [193184:121808845] :INPUT ACCEPT [191064:121396493] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [117048:7343479] :POSTROUTING ACCEPT [117058:7344273] COMMIT # Completed on Tue Feb 26 07:46:26 2019 # Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019 *filter :INPUT ACCEPT [191064:121396493] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [117050:7344067] COMMIT # Completed on Tue Feb 26 07:46:26 2019 firewall-cmd --complete-reload fails with iptables issue, not sure if related.. #firewall-cmd --complete-reload Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): iptables-restore: unable to initialize table 'security' Error occurred at line: 1 Try `iptables-restore -h' or 'iptables-restore --help' for more information. > 5.0.0-rc7-ged2e2a772
This isn't a Fedora kernel AFAICT. Can you ensure you are running an official Fedora kernel build & try to reproduce. This will identify whether its caused by a missing feature in your kernel build.
Thanks, looks like an issue with compiled kernel, did use `ppc64le_defconfig` for compile, needs to check if any more configs to be enabled. With fedora rawhide kernel bridge network starts fine... # uname -r 5.0.0-0.rc6.git1.1.fc30.ppc64le # virsh net-list Name State Autostart Persistent -------------------------------------------- default active yes yes # iptables-save # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *nat :PREROUTING ACCEPT [6615:680980] :INPUT ACCEPT [6:851] :OUTPUT ACCEPT [50:3783] :POSTROUTING ACCEPT [50:3783] :LIBVIRT_PRT - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j LIBVIRT_PRT -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING_ZONES -o net0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i net0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Wed Feb 27 00:36:54 2019 # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *mangle :PREROUTING ACCEPT [6888:729401] :INPUT ACCEPT [6576:668686] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [212:36466] :POSTROUTING ACCEPT [226:38304] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :LIBVIRT_PRT - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j LIBVIRT_PRT -A POSTROUTING -j POSTROUTING_direct -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A PREROUTING_ZONES -i net0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Wed Feb 27 00:36:54 2019 # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *raw :PREROUTING ACCEPT [6965:739553] :OUTPUT ACCEPT [245:39683] :OUTPUT_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A PREROUTING_ZONES -i net0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Wed Feb 27 00:36:54 2019 # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *security :INPUT ACCEPT [309:54308] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [245:39683] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Wed Feb 27 00:36:54 2019 # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [212:36466] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :LIBVIRT_FWI - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWX - [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j LIBVIRT_INP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j LIBVIRT_OUT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i net0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o net0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i net0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT -A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT COMMIT # Completed on Wed Feb 27 00:36:54 2019 Created attachment 1539085 [details]
fedora and upstream config diff
Needs a help in identifying relevant configs to be enabled.
attached config diff output of fedora(30 rawhide)(left side) and upstream(ppc64le_defconfig)(right side).
You've got *loads* of missing config options related to iptables/ebtables/etc in that config, so it is no wonder even basic firewall rules don't work. Please just use a regular distro kernel as we don't have time to spare debugging minimalistic kernel configs. libvirtd (libvirt) 5.1.0, kernel 5.0.2, XUbuntu 18.10, iptables v1.6.1 I think something is missing|wrong from firewall rules creation. I've an ubuntu custom kernel system, with the same problem: #virsh net-start default error: Failed to start network default error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name. Debugging and debugging, i solved this problem with a workaround: *manually create the iptables rules (script) *start the default network as usual Libvirt prior release 5.1.0 didn't use naming chain (only chains INPUT, FORWARD and OUTPUT) script: #!/bin/bash #you must be root #https://www.spinics.net/linux/fedora/libvir/msg178415.html #not necessary, this works #/usr/bin/tunctl -t virbr0-nic #brctl addbr virbr0 #brctl addif virbr0 virbr0-nic #brctl stp virbr0 on #filter table iptables -t filter -N LIBVIRT_FWI iptables -t filter -N LIBVIRT_FWO iptables -t filter -N LIBVIRT_FWX iptables -t filter -N LIBVIRT_INP iptables -t filter -N LIBVIRT_OUT iptables -t filter -A INPUT -j LIBVIRT_INP iptables -t filter -A FORWARD -j LIBVIRT_FWX iptables -t filter -A FORWARD -j LIBVIRT_FWI iptables -t filter -A FORWARD -j LIBVIRT_FWO iptables -t filter -A OUTPUT -j LIBVIRT_OUT iptables -t filter -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable iptables -t filter -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT iptables -t filter -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable iptables -t filter -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT iptables -t filter -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT iptables -t filter -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT iptables -t filter -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT iptables -t filter -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT iptables -t filter -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT #nat table iptables -t nat -N LIBVIRT_PRT iptables -t nat -A POSTROUTING -j LIBVIRT_PRT iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE #mangle table iptables -t mangle -N LIBVIRT_PRT iptables -t mangle -A POSTROUTING -j LIBVIRT_PRT iptables -t mangle -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill hope this helps Regards Michele Masè For custom kernel, you must have ipv6 support too, included: ip6_tables p6table_filter sample: CONFIG_IPV6=m # CONFIG_IPV6_ROUTER_PREF is not set # CONFIG_IPV6_OPTIMISTIC_DAD is not set # CONFIG_IPV6_MIP6 is not set # CONFIG_IPV6_ILA is not set # CONFIG_IPV6_VTI is not set CONFIG_IPV6_SIT=m # CONFIG_IPV6_SIT_6RD is not set CONFIG_IPV6_NDISC_NODETYPE=y # CONFIG_IPV6_TUNNEL is not set CONFIG_IPV6_FOU=m # CONFIG_IPV6_MULTIPLE_TABLES is not set # CONFIG_IPV6_MROUTE is not set # CONFIG_IPV6_SEG6_LWTUNNEL is not set # CONFIG_IPV6_SEG6_HMAC is not set CONFIG_IP_VS_IPV6=y CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m CONFIG_NF_TABLES_IPV6=y CONFIG_NFT_CHAIN_ROUTE_IPV6=m CONFIG_NFT_CHAIN_NAT_IPV6=m CONFIG_NFT_MASQ_IPV6=m # CONFIG_NFT_REDIR_IPV6 is not set CONFIG_NFT_REJECT_IPV6=m # CONFIG_NFT_DUP_IPV6 is not set # CONFIG_NFT_FIB_IPV6 is not set # CONFIG_NF_FLOW_TABLE_IPV6 is not set # CONFIG_NF_DUP_IPV6 is not set CONFIG_NF_REJECT_IPV6=m CONFIG_NF_LOG_IPV6=m CONFIG_NF_NAT_IPV6=m CONFIG_NF_NAT_MASQUERADE_IPV6=y # CONFIG_IP6_NF_MATCH_IPV6HEADER is not set CONFIG_NF_DEFRAG_IPV6=m Regards Michele Masè The situation is improved in current git master with this https://www.redhat.com/archives/libvir-list/2019-March/msg01218.html I'm also experiencing this issue on Gentoo Linux/systemd with a custom kernel. If I run the script from comment #11 everything is cool, but for some reason the rules don't get applied when I (re)start the service. Nm.. I read the rest of the comments/patches. I'm probably missing some ipv6 stuff in my kernel. Will try the latest patches. |