Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
description of problem:
wrong display of guest interface nwfilter settings
Version-Release number of selected component (if applicable):
libvirt-1.2.8-12.el7.x86_64
How reproducible:
100%
Steps to Reproduce:
1.prepare a offline vm have a interface which have network filters settings like this:
# virsh dumpxml test3
<interface type='network'>
<mac address='52:54:00:cb:be:fc'/>
<source network='vepa-net'/>
<model type='rtl8139'/>
<filterref filter='clean-traffic'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>
# virsh net-dumpxml vepa-net
<network>
<name>vepa-net</name>
<uuid>db38469f-bb10-44e5-8ffe-384ddfec61bb</uuid>
<forward dev='enp1s0' mode='vepa'>
<interface dev='enp1s0'/>
</forward>
</network>
2.start the guest:
# virsh start test3
Domain test3 started
3.check the xml and ebtables rules:
# virsh dumpxml test3
<interface type='direct'>
<mac address='52:54:00:cb:be:fc'/>
<source network='vepa-net' dev='enp1s0' mode='vepa'/>
<target dev='macvtap0'/>
<model type='rtl8139'/>
<filterref filter='clean-traffic'/>
<alias name='net2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>
4.No rules for this network(iptables and ebtables cannot work for macvtap, because kernel macvtap packet processing bypasses both iptables and
ebtables)
# ebtables -t nat -L
Bridge table: nat
Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-i vnet1 -j libvirt-I-vnet1
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
Bridge chain: libvirt-I-vnet1, entries: 4, policy: ACCEPT
-s ! 52:54:0:19:99:53 -j DROP
-p IPv4 -j ACCEPT
-p ARP -j ACCEPT
-j DROP
Actual results:
wrong display of guest interface nwfilter settings for a running vm
Expected results:
libvirt should not output a wrong xml
and as i know, we cannot set nwfilter rules to a direct type vm interface.
So shouldn't show it in this place, because we do not set the rules (if we set
it won't work).
Additional info:
IMO we really shouldn't be allowing this XML - libvirt should log an error and refuse to start. But since openstack uses <filterref filter='clean-traffic'/> rather liberally, I'm concerned that turning this into an error condition could create havoc in a lot of OpenStack installations. Dan - how much is macvtap used by OpenStack users, and is the clean-traffic filter *always* set in OpenStack-generated configs?
Looking at the source, OpenStack Nova is only adding <filterref> when it uses type=bridge, so I think we're safe from this POV.
FWIW I'd be inclined to put the error reporting in the QEMU driver, rather than in the XML parser.
(In reply to Daniel Berrange from comment #2)
>
> FWIW I'd be inclined to put the error reporting in the QEMU driver, rather
> than in the XML parser.
Right, that's what I meant to say - we often don't know whether or not the connection will be made with macvtap until we are starting the guest.
Pushed upstream:
commit f4f1d18dc464a4fd436ce9cdd18d6f06fa7494e5
Author: Laine Stump <laine>
Date: Mon Aug 10 02:05:29 2015 -0400
qemu: fail on attempts to use <filterref> for non-tap network connections
Verify this bug with libvirt-1.2.17-7.el7.x86_64
1. Try to start a guest with filterref while not using a tap device
# virsh start r7
error: Failed to start domain r7
error: unsupported configuration: filterref is not supported for network interfaces of type direct
2. attach interface with filterref while not using a tap device
# virsh attach-device r7 network.xml
error: Failed to attach device from network.xml
error: unsupported configuration: filterref is not supported for network interfaces of type direct
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2015-2202.html
description of problem: wrong display of guest interface nwfilter settings Version-Release number of selected component (if applicable): libvirt-1.2.8-12.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.prepare a offline vm have a interface which have network filters settings like this: # virsh dumpxml test3 <interface type='network'> <mac address='52:54:00:cb:be:fc'/> <source network='vepa-net'/> <model type='rtl8139'/> <filterref filter='clean-traffic'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </interface> # virsh net-dumpxml vepa-net <network> <name>vepa-net</name> <uuid>db38469f-bb10-44e5-8ffe-384ddfec61bb</uuid> <forward dev='enp1s0' mode='vepa'> <interface dev='enp1s0'/> </forward> </network> 2.start the guest: # virsh start test3 Domain test3 started 3.check the xml and ebtables rules: # virsh dumpxml test3 <interface type='direct'> <mac address='52:54:00:cb:be:fc'/> <source network='vepa-net' dev='enp1s0' mode='vepa'/> <target dev='macvtap0'/> <model type='rtl8139'/> <filterref filter='clean-traffic'/> <alias name='net2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </interface> 4.No rules for this network(iptables and ebtables cannot work for macvtap, because kernel macvtap packet processing bypasses both iptables and ebtables) # ebtables -t nat -L Bridge table: nat Bridge chain: PREROUTING, entries: 1, policy: ACCEPT -i vnet1 -j libvirt-I-vnet1 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT Bridge chain: libvirt-I-vnet1, entries: 4, policy: ACCEPT -s ! 52:54:0:19:99:53 -j DROP -p IPv4 -j ACCEPT -p ARP -j ACCEPT -j DROP Actual results: wrong display of guest interface nwfilter settings for a running vm Expected results: libvirt should not output a wrong xml and as i know, we cannot set nwfilter rules to a direct type vm interface. So shouldn't show it in this place, because we do not set the rules (if we set it won't work). Additional info: