Hide Forgot
Description of problem: check the nwfilter page /usr/share/doc/libvirt-docs-1.1.1/html/formatnwfilter.html 1. Attribute dscp should be included in ip/tcp/tcp-ipv6/icmp/igmp/igmp-ipv6 protocol groups 2. Attribute vlan-id in vlan should be vlanid 3. explain igmp-ipv6 protocol behaviour, define igmp-ipv6 protocol rule will not take effect, seems this protocol should be covered in icmpv6, so maybe we can update doc for this. Version-Release number of selected component (if applicable): libvirt-docs-1.1.1-13.el7.x86_64 How reproducible: always Steps to Reproduce: 1. as description 2. 3. Actual results: Expected results: fix Additional info:
For the first item, candidate patch on upstream. http://www.redhat.com/archives/libvir-list/2014-August/msg00226.html For the second item, it has been fixed in bug 1126721.
For the last igmp-ipv6, AFAIK, MLDv2(rfc3810) is a translation of the IGMPv3 protocol [RFC3376] for IPv6 semantics. And I found nwfilter does not support it in libvirt by now. Will libvirt support MLD protocol in nwfilter in the future? If no, I suggest remove igmp-ipv6 from its docs. Thanks.
The patch for item (1) in the list is upstream in this commit: commit 08567572793454d25f1290f905ac1ce6ff60a9fe Author: Jianwei Hu <jiahu> Date: Thu Aug 7 12:27:32 2014 +0800 docs: nwfilter: add missing dscp attribute As for the question in Comment 4, are you saying that "igmp-ipv6" results in an error, or that it is silently ignored?
The "igmp-ipv6" will be ignored silently on the latest version, but it still was listed in related doc/guide. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IGMP, ESP, AH, UDPLITE, 'ALL' over IPv6 Protocol ID: igmp-ipv6, esp-ipv6, ah-ipv6, udplite-ipv6, all-ipv6 Note: The chain parameter is ignored for this type of traffic and should either be omitted or set to root. From libvirt.org +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [root@localhost ~]# rpm -q libvirt libvirt-1.2.14-1.el7.x86_64 [root@localhost ~]# virsh nwfilter-dumpxml clean-traffic ... <rule action='accept' direction='out' priority='500'> <igmp/> </rule> <filterref filter='no-other-l2-traffic'/> <filterref filter='qemu-announce-self'/> </filter> Change the "igmp" to "igmp-ipv6" [root@localhost ~]# virsh nwfilter-edit clean-traffic Network filter clean-traffic XML configuration edited. [root@localhost ~]# virsh nwfilter-dumpxml clean-traffic ... <rule action='accept' direction='out' priority='500'/> <filterref filter='no-other-l2-traffic'/> <filterref filter='qemu-announce-self'/> </filter> For example, I checked the related codes, found no igmp-ipv6 element in below function. VIR_ENUM_IMPL(virNWFilterRuleProtocol, VIR_NWFILTER_RULE_PROTOCOL_LAST, "none", "mac", "vlan", "stp", "arp", "rarp", "ip", "ipv6", "tcp", "icmp", "igmp", "udp", "udplite", "esp", "ah", "sctp", "all", "tcp-ipv6", "icmpv6", "udp-ipv6", "udplite-ipv6", "esp-ipv6", "ah-ipv6", "sctp-ipv6", "all-ipv6");
Okay, I've removed the reference to "igmp-ipv6" from formatnwfilter.html: https://www.redhat.com/archives/libvir-list/2016-April/msg01526.html
Pushed upstream: commit 81f3839f876983ac68fa65730879a21def987921 Author: Laine Stump <laine> Date: Thu Apr 21 14:32:51 2016 -0400 docs: remove reference to non-existent "igmp-ipv6" protocol
verified on libvirt-docs-1.3.4-1.el7.x86_64, all the results is as expected. Change the bug to verifed. 1. Attribute dscp should be included in ip/tcp/tcp-ipv6/icmp/igmp/igmp-ipv6 protocol groups-------------> the igmp-ipv6 removed 2. Attribute vlan-id in vlan should be vlanid ----------> OK 3. explain igmp-ipv6 protocol behaviour, define igmp-ipv6 protocol rule will not take effect, seems this protocol should be covered in icmpv6, so maybe we can update doc for this. ------> the igmp-ipv6 part removed 4. removed the reference to "igmp-ipv6" from formatnwfilter.html ------> OK
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2577.html