RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1180011 - wrong display of guest interface nwfilter settings
Summary: wrong display of guest interface nwfilter settings
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.1
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-08 04:00 UTC by Luyao Huang
Modified: 2015-11-19 06:07 UTC (History)
5 users (show)

Fixed In Version: libvirt-1.2.17-5.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 06:07:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2202 0 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2015-11-19 08:17:58 UTC

Description Luyao Huang 2015-01-08 04:00:45 UTC 
description of problem:
wrong display of guest interface nwfilter settings

Version-Release number of selected component (if applicable):
libvirt-1.2.8-12.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
 
1.prepare a offline vm have a interface which have network filters settings like this:
# virsh dumpxml test3
    <interface type='network'>
      <mac address='52:54:00:cb:be:fc'/>
      <source network='vepa-net'/>
      <model type='rtl8139'/>
      <filterref filter='clean-traffic'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </interface>


# virsh net-dumpxml vepa-net
<network>
  <name>vepa-net</name>
  <uuid>db38469f-bb10-44e5-8ffe-384ddfec61bb</uuid>
  <forward dev='enp1s0' mode='vepa'>
    <interface dev='enp1s0'/>
  </forward>
</network>

2.start the guest:

# virsh start test3
Domain test3 started

3.check the xml and ebtables rules:
# virsh dumpxml test3
    <interface type='direct'>
      <mac address='52:54:00:cb:be:fc'/>
      <source network='vepa-net' dev='enp1s0' mode='vepa'/>
      <target dev='macvtap0'/>
      <model type='rtl8139'/>
      <filterref filter='clean-traffic'/>
      <alias name='net2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </interface>

4.No rules for this network(iptables and ebtables cannot work for macvtap, because kernel macvtap packet processing bypasses both iptables and
ebtables)

# ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet1 -j libvirt-I-vnet1

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT

Bridge chain: libvirt-I-vnet1, entries: 4, policy: ACCEPT
-s ! 52:54:0:19:99:53 -j DROP
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP


Actual results:
wrong display of guest interface nwfilter settings for a running vm
      
Expected results:
libvirt should not output a wrong xml
and as i know, we cannot set nwfilter rules to a direct type vm interface.
So shouldn't show it in this place, because we do not set the rules (if we set
it won't work).

Additional info:
Comment 1 Laine Stump 2015-05-04 14:37:22 UTC 
IMO we really shouldn't be allowing this XML - libvirt should log an error and refuse to start. But since openstack uses <filterref filter='clean-traffic'/> rather liberally, I'm concerned that turning this into an error condition could create havoc in a lot of OpenStack installations. Dan - how much is macvtap used by OpenStack users, and is the clean-traffic filter *always* set in OpenStack-generated configs?
Comment 2 Daniel Berrangé 2015-07-02 12:24:50 UTC 
Looking at the source, OpenStack Nova is only adding <filterref> when it uses type=bridge, so I think we're safe from this POV.

FWIW I'd be inclined to put the error reporting in the QEMU driver, rather than in the XML parser.
Comment 3 Laine Stump 2015-07-22 14:17:02 UTC 
(In reply to Daniel Berrange from comment #2)
> 
> FWIW I'd be inclined to put the error reporting in the QEMU driver, rather
> than in the XML parser.

Right, that's what I meant to say - we often don't know whether or not the connection will be made with macvtap until we are starting the guest.
Comment 4 Laine Stump 2015-08-10 06:11:22 UTC 
I posted a simple patch upstream to log an error and fail when an attempt is made to use a <filterref> on an interface that isn't tap-based:

  https://www.redhat.com/archives/libvir-list/2015-August/msg00276.html
Comment 5 Laine Stump 2015-08-10 17:44:30 UTC 
Pushed upstream:

commit f4f1d18dc464a4fd436ce9cdd18d6f06fa7494e5
Author: Laine Stump <laine>
Date:   Mon Aug 10 02:05:29 2015 -0400

    qemu: fail on attempts to use <filterref> for non-tap network connections
Comment 8 Shanzhi Yu 2015-09-06 03:46:22 UTC 
Verify this bug with libvirt-1.2.17-7.el7.x86_64 

1. Try to start a guest with filterref while not using a tap device

# virsh start r7 
error: Failed to start domain r7
error: unsupported configuration: filterref is not supported for network interfaces of type direct

2. attach interface with filterref while not using a tap device
 
# virsh attach-device  r7 network.xml 
error: Failed to attach device from network.xml
error: unsupported configuration: filterref is not supported for network interfaces of type direct
Comment 10 errata-xmlrpc 2015-11-19 06:07:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html
Note You need to log in before you can comment on or make changes to this bug.