Description of problem: Can't start default(virbr0) network #virsh net-start default error: Failed to start network default error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name. Version-Release number of selected component (if applicable): # libvirtd -V libvirtd (libvirt) 5.1.0 built against below git commit # git log -1 commit 27a9ebf28183cb3c3c784fcab622e67e978eb3dc (HEAD -> master) Author: Christian Ehrhardt <christian.ehrhardt> Date: Tue Feb 12 11:12:52 2019 +0100 security: aa-helper: generate more rules for gl devices Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled graphics devices" implemented the detection for gl enabled devices in virt-aa-helper. But further testing showed that it will need much more access for the full gl stack to work. Upstream apparmor just recently split those things out and now has two related abstractions at https://gitlab.com/apparmor/apparmor/blob/master: - dri-common at /profiles/apparmor.d/abstractions/dri-common - mesa: at /profiles/apparmor.d/abstractions/mesa If would be great to just include that for the majority of rules, but they are not yet in any distribution so we need to add rules inspired by them based on the testing that we can do. Furthermore qemu with opengl will also probe the backing device of the rendernode for attributes which should be safe as read-only wildcard rules. Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452 Acked-by: Jamie Strandboge <jamie> Signed-off-by: Christian Ehrhardt <christian.ehrhardt> # iptables -V iptables v1.8.0 (legacy) # firewall-cmd --version 0.6.3 # uname -r 5.0.0-rc7-ged2e2a772 # cat /etc/os-release NAME=Fedora VERSION="30 (Rawhide)" ID=fedora VERSION_ID=30 VERSION_CODENAME="" PLATFORM_ID="platform:f30" PRETTY_NAME="Fedora 30 (Rawhide)" ANSI_COLOR="0;34" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:30" HOME_URL="https://fedoraproject.org/" DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/" SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=rawhide PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" # lscpu Architecture: ppc64le Byte Order: Little Endian CPU(s): 160 On-line CPU(s) list: 0,8,16,24,32,40,48,56,64,72,80,88,96,104,112,120,128,136,144,152 Off-line CPU(s) list: 1-7,9-15,17-23,25-31,33-39,41-47,49-55,57-63,65-71,73-79,81-87,89-95,97-103,105-111,113-119,121-127,129-135,137-143,145-151,153-159 Thread(s) per core: 1 Core(s) per socket: 5 Socket(s): 4 NUMA node(s): 4 Model: 2.1 (pvr 004b 0201) Model name: POWER8E (raw), altivec supported CPU max MHz: 3690.0000 CPU min MHz: 2061.0000 L1d cache: 64K L1i cache: 32K L2 cache: 512K L3 cache: 8192K NUMA node0 CPU(s): 0,8,16,24,32 NUMA node1 CPU(s): 40,48,56,64,72 NUMA node16 CPU(s): 80,88,96,104,112 NUMA node17 CPU(s): 120,128,136,144,152 How reproducible: 100 % Steps to Reproduce: 1. #virsh net-start default Actual results: error: Failed to start network default error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name. Expected results: virbr0 should be started and virsh net-list should show active Additional info:
(In reply to Satheesh Rajendran from comment #0) > Description of problem: > > Can't start default(virbr0) network > > #virsh net-start default > error: Failed to start network default > error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert > LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 > --jump ACCEPT' failed: iptables: No chain/target/match by that name. That is complaining that LIBVIRT_INP chain doesn't exist. This is something libvirt will create at startup. If it is missing it suggests someone or something has deleted libvirt's chains. Did you manually restart firewall init script, or have you restarted firewalld or otherwise caused firewall to be flushed ? Restarting libvirtd service should probably fix it.
(In reply to Daniel Berrange from comment #1) > (In reply to Satheesh Rajendran from comment #0) > > Description of problem: > > > > Can't start default(virbr0) network > > > > #virsh net-start default > > error: Failed to start network default > > error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert > > LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 > > --jump ACCEPT' failed: iptables: No chain/target/match by that name. > > That is complaining that LIBVIRT_INP chain doesn't exist. This is something > libvirt will create at startup. If it is missing it suggests someone or > something has deleted libvirt's chains. Did you manually restart firewall > init script, or have you restarted firewalld or otherwise caused firewall to > be flushed ? > > Restarting libvirtd service should probably fix it. Did try that, no help # service libvirtd restart Redirecting to /bin/systemctl restart libvirtd.service [root@ltc-test-ci2 ~]# [ 2244.452873] virbr0: port 1(virbr0-nic) entered blocking state [ 2244.452897] virbr0: port 1(virbr0-nic) entered disabled state [ 2244.452974] device virbr0-nic entered promiscuous mode [ 2244.563753] device virbr0-nic left promiscuous mode [ 2244.563780] virbr0: port 1(virbr0-nic) entered disabled state # virsh net-list --all Name State Autostart Persistent ---------------------------------------------- default inactive yes yes # virsh net-start default [ 2281.761768] virbr0: port 1(virbr0-nic) entered blocking state [ 2281.761792] virbr0: port 1(virbr0-nic) entered disabled state [ 2281.761878] device virbr0-nic entered promiscuous mode [ 2281.861972] device virbr0-nic left promiscuous mode [ 2281.861996] virbr0: port 1(virbr0-nic) entered disabled state error: Failed to start network default error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name. # service libvirtd status Redirecting to /bin/systemctl status libvirtd.service ● libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor pr> Active: active (running) since Tue 2019-02-26 07:11:36 EST; 1min 17s ago Docs: man:libvirtd(8) https://libvirt.org Main PID: 140411 (libvirtd) Memory: 72.1M CGroup: /system.slice/libvirtd.service └─140411 /usr/sbin/libvirtd Feb 26 07:11:35 x.x.x.x systemd[1]: Starting Virtualiz> Feb 26 07:11:36 x.x.x.x systemd[1]: Started Virtualiza>
# service firewalld status Redirecting to /bin/systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2019-02-26 06:35:40 EST; 45min ago Docs: man:firewalld(1) Main PID: 9613 (firewalld) Memory: 149.5M CGroup: /system.slice/firewalld.service └─9613 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --destination 192.16> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --source 192.168.122> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --out-interface virb> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT --out-interface virb> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr> Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr>
Can you provide the output of "iptables-save" when this error occurs..
# iptables-save # Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Tue Feb 26 07:46:26 2019 # Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019 *mangle :PREROUTING ACCEPT [193184:121808845] :INPUT ACCEPT [191064:121396493] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [117048:7343479] :POSTROUTING ACCEPT [117058:7344273] COMMIT # Completed on Tue Feb 26 07:46:26 2019 # Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019 *filter :INPUT ACCEPT [191064:121396493] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [117050:7344067] COMMIT # Completed on Tue Feb 26 07:46:26 2019
firewall-cmd --complete-reload fails with iptables issue, not sure if related.. #firewall-cmd --complete-reload Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): iptables-restore: unable to initialize table 'security' Error occurred at line: 1 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> 5.0.0-rc7-ged2e2a772 This isn't a Fedora kernel AFAICT. Can you ensure you are running an official Fedora kernel build & try to reproduce. This will identify whether its caused by a missing feature in your kernel build.
Thanks, looks like an issue with compiled kernel, did use `ppc64le_defconfig` for compile, needs to check if any more configs to be enabled. With fedora rawhide kernel bridge network starts fine... # uname -r 5.0.0-0.rc6.git1.1.fc30.ppc64le # virsh net-list Name State Autostart Persistent -------------------------------------------- default active yes yes # iptables-save # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *nat :PREROUTING ACCEPT [6615:680980] :INPUT ACCEPT [6:851] :OUTPUT ACCEPT [50:3783] :POSTROUTING ACCEPT [50:3783] :LIBVIRT_PRT - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j LIBVIRT_PRT -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING_ZONES -o net0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i net0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Wed Feb 27 00:36:54 2019 # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *mangle :PREROUTING ACCEPT [6888:729401] :INPUT ACCEPT [6576:668686] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [212:36466] :POSTROUTING ACCEPT [226:38304] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :LIBVIRT_PRT - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j LIBVIRT_PRT -A POSTROUTING -j POSTROUTING_direct -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A PREROUTING_ZONES -i net0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Wed Feb 27 00:36:54 2019 # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *raw :PREROUTING ACCEPT [6965:739553] :OUTPUT ACCEPT [245:39683] :OUTPUT_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A PREROUTING_ZONES -i net0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Wed Feb 27 00:36:54 2019 # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *security :INPUT ACCEPT [309:54308] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [245:39683] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Wed Feb 27 00:36:54 2019 # Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [212:36466] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :LIBVIRT_FWI - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWX - [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j LIBVIRT_INP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j LIBVIRT_OUT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i net0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o net0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i net0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT -A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT COMMIT # Completed on Wed Feb 27 00:36:54 2019
Created attachment 1539085 [details] fedora and upstream config diff Needs a help in identifying relevant configs to be enabled. attached config diff output of fedora(30 rawhide)(left side) and upstream(ppc64le_defconfig)(right side).
You've got *loads* of missing config options related to iptables/ebtables/etc in that config, so it is no wonder even basic firewall rules don't work. Please just use a regular distro kernel as we don't have time to spare debugging minimalistic kernel configs.
libvirtd (libvirt) 5.1.0, kernel 5.0.2, XUbuntu 18.10, iptables v1.6.1 I think something is missing|wrong from firewall rules creation. I've an ubuntu custom kernel system, with the same problem: #virsh net-start default error: Failed to start network default error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name. Debugging and debugging, i solved this problem with a workaround: *manually create the iptables rules (script) *start the default network as usual Libvirt prior release 5.1.0 didn't use naming chain (only chains INPUT, FORWARD and OUTPUT) script: #!/bin/bash #you must be root #https://www.spinics.net/linux/fedora/libvir/msg178415.html #not necessary, this works #/usr/bin/tunctl -t virbr0-nic #brctl addbr virbr0 #brctl addif virbr0 virbr0-nic #brctl stp virbr0 on #filter table iptables -t filter -N LIBVIRT_FWI iptables -t filter -N LIBVIRT_FWO iptables -t filter -N LIBVIRT_FWX iptables -t filter -N LIBVIRT_INP iptables -t filter -N LIBVIRT_OUT iptables -t filter -A INPUT -j LIBVIRT_INP iptables -t filter -A FORWARD -j LIBVIRT_FWX iptables -t filter -A FORWARD -j LIBVIRT_FWI iptables -t filter -A FORWARD -j LIBVIRT_FWO iptables -t filter -A OUTPUT -j LIBVIRT_OUT iptables -t filter -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable iptables -t filter -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT iptables -t filter -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable iptables -t filter -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT iptables -t filter -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT iptables -t filter -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT iptables -t filter -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT iptables -t filter -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT iptables -t filter -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT #nat table iptables -t nat -N LIBVIRT_PRT iptables -t nat -A POSTROUTING -j LIBVIRT_PRT iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE #mangle table iptables -t mangle -N LIBVIRT_PRT iptables -t mangle -A POSTROUTING -j LIBVIRT_PRT iptables -t mangle -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill hope this helps Regards Michele Masè
For custom kernel, you must have ipv6 support too, included: ip6_tables p6table_filter sample: CONFIG_IPV6=m # CONFIG_IPV6_ROUTER_PREF is not set # CONFIG_IPV6_OPTIMISTIC_DAD is not set # CONFIG_IPV6_MIP6 is not set # CONFIG_IPV6_ILA is not set # CONFIG_IPV6_VTI is not set CONFIG_IPV6_SIT=m # CONFIG_IPV6_SIT_6RD is not set CONFIG_IPV6_NDISC_NODETYPE=y # CONFIG_IPV6_TUNNEL is not set CONFIG_IPV6_FOU=m # CONFIG_IPV6_MULTIPLE_TABLES is not set # CONFIG_IPV6_MROUTE is not set # CONFIG_IPV6_SEG6_LWTUNNEL is not set # CONFIG_IPV6_SEG6_HMAC is not set CONFIG_IP_VS_IPV6=y CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m CONFIG_NF_TABLES_IPV6=y CONFIG_NFT_CHAIN_ROUTE_IPV6=m CONFIG_NFT_CHAIN_NAT_IPV6=m CONFIG_NFT_MASQ_IPV6=m # CONFIG_NFT_REDIR_IPV6 is not set CONFIG_NFT_REJECT_IPV6=m # CONFIG_NFT_DUP_IPV6 is not set # CONFIG_NFT_FIB_IPV6 is not set # CONFIG_NF_FLOW_TABLE_IPV6 is not set # CONFIG_NF_DUP_IPV6 is not set CONFIG_NF_REJECT_IPV6=m CONFIG_NF_LOG_IPV6=m CONFIG_NF_NAT_IPV6=m CONFIG_NF_NAT_MASQUERADE_IPV6=y # CONFIG_IP6_NF_MATCH_IPV6HEADER is not set CONFIG_NF_DEFRAG_IPV6=m Regards Michele Masè
The situation is improved in current git master with this https://www.redhat.com/archives/libvir-list/2019-March/msg01218.html
I'm also experiencing this issue on Gentoo Linux/systemd with a custom kernel. If I run the script from comment #11 everything is cool, but for some reason the rules don't get applied when I (re)start the service.
Nm.. I read the rest of the comments/patches. I'm probably missing some ipv6 stuff in my kernel. Will try the latest patches.