Bug 635211

Summary: iptables errors cause networking failure; should be ignored (or ignorable)
Product: [Community] Virtualization Tools Reporter: Michael J Evans <mjevans1983>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED INSUFFICIENT_DATA QA Contact:
Severity: high Docs Contact:
Priority: low    
Version: unspecifiedCC: crobinso, jdenemar, jtomko, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-18 08:31:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael J Evans 2010-09-18 05:37:34 UTC 
Recent versions of libvirt have included hardcoded iptables rulsets that do not work with the latest releases of iptables and instead require custom patches; this would be tolerable if iptables failures were ignored/ignorable.

However virt-manager, and even the documentation for the raw XML, seems to have no option for either ignoring iptables errors or assigning an action to take on error (fail, warn and continue, retry N times).  This causes networking to break on easily forgivable issues, examples:

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/createnet.py", line 357, in finish
    self.conn.create_network(xml)
  File "/usr/share/virt-manager/virtManager/connection.py", line 742, in create_network
    net.create()
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 866, in create
    if ret == -1: raise libvirtError ('virNetworkCreate() failed', net=self)
libvirtError: internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr1 --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 and signal 0: iptables: Bad rule (does a matching rule exist in that chain?).


Sep 17 21:57:32 localhost libvirtd: 21:57:32.992: error : virRunWithHook:857 : internal error '/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.9.1: unknown option `--checksum-fill'
Sep 17 21:57:32 localhost libvirtd: 21:57:32.992: warning : networkAddIptablesRules:873 : Could not add rule to fixup DHCP response checksums on network 'default'.
Sep 17 21:57:32 localhost libvirtd: 21:57:32.992: warning : networkAddIptablesRules:874 : May need to update iptables package & kernel to support CHECKSUM rule.
Sep 17 21:57:33 localhost libvirtd: 21:57:33.003: error : virRunWithHook:857 : internal error '/usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file=  --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-lease-max=253 --dhcp-no-override' exited with non-zero status 2 and signal 0: 
Sep 17 21:57:33 localhost libvirtd: 21:57:33.015: error : virRunWithHook:857 : internal error '/sbin/iptables --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.9.1: unknown option `--checksum-fill'
Sep 17 21:57:33 localhost libvirtd: 21:57:33.114: error : virRunWithHook:857 : internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 and signal 0: iptables: Bad rule (does a matching rule exist in that chain?).
Sep 17 21:57:33 localhost libvirtd: 21:57:33.867: warning : qemudStartup:1848 : Unable to create cgroup for driver: No such device or address
Comment 1 Jiri Denemark 2010-09-21 09:20:46 UTC 
These iptables errors are ignored by libvirt and wouldn't cause networking failure. Unfortunatelly, the real error seems to be hidden in the middle and overwritten by other ignorable iptables errors. The reason why networking fails to start for you seems to be:

Sep 17 21:57:33 localhost libvirtd: 21:57:33.003: error : virRunWithHook:857 :
internal error '/usr/sbin/dnsmasq --strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/default.pid --conf-file=  --listen-address
192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254
--dhcp-lease-max=253 --dhcp-no-override' exited with non-zero status 2 and
signal 0:

Unfortunately, there's no error message from dnsmasq itself there