Bug 1683174 - default bridge network does not start
Summary: default bridge network does not start
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: ppc64le
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-26 11:57 UTC by Satheesh Rajendran
Modified: 2019-03-23 20:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-27 09:16:22 UTC
Embargoed:

Attachments (Terms of Use)
fedora and upstream config diff (324.30 KB, text/plain)
2019-02-27 08:57 UTC, Satheesh Rajendran 		no flags Details
View All

Description Satheesh Rajendran 2019-02-26 11:57:52 UTC 
Description of problem:

Can't start default(virbr0) network

#virsh net-start default 
error: Failed to start network default
error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.


Version-Release number of selected component (if applicable):
# libvirtd -V
libvirtd (libvirt) 5.1.0 built against below git commit

# git log -1
commit 27a9ebf28183cb3c3c784fcab622e67e978eb3dc (HEAD -> master)
Author: Christian Ehrhardt <christian.ehrhardt>
Date:   Tue Feb 12 11:12:52 2019 +0100

    security: aa-helper: generate more rules for gl devices
    
    Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
    graphics devices" implemented the detection for gl enabled
    devices in virt-aa-helper. But further testing showed
    that it will need much more access for the full gl stack
    to work.
    
    Upstream apparmor just recently split those things out and now
    has two related abstractions at
    https://gitlab.com/apparmor/apparmor/blob/master:
    - dri-common at /profiles/apparmor.d/abstractions/dri-common
    - mesa: at /profiles/apparmor.d/abstractions/mesa
    
    If would be great to just include that for the majority of
    rules, but they are not yet in any distribution so we need
    to add rules inspired by them based on the testing that we
    can do.
    
    Furthermore qemu with opengl will also probe the backing device
    of the rendernode for attributes which should be safe as
    read-only wildcard rules.
    
    Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452
    
    Acked-by: Jamie Strandboge <jamie>
    Signed-off-by: Christian Ehrhardt <christian.ehrhardt>


# iptables -V
iptables v1.8.0 (legacy)

# firewall-cmd --version
0.6.3

# uname -r
5.0.0-rc7-ged2e2a772

# cat /etc/os-release 
NAME=Fedora
VERSION="30 (Rawhide)"
ID=fedora
VERSION_ID=30
VERSION_CODENAME=""
PLATFORM_ID="platform:f30"
PRETTY_NAME="Fedora 30 (Rawhide)"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:30"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=rawhide
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"


# lscpu
Architecture:         ppc64le
Byte Order:           Little Endian
CPU(s):               160
On-line CPU(s) list:  0,8,16,24,32,40,48,56,64,72,80,88,96,104,112,120,128,136,144,152
Off-line CPU(s) list: 1-7,9-15,17-23,25-31,33-39,41-47,49-55,57-63,65-71,73-79,81-87,89-95,97-103,105-111,113-119,121-127,129-135,137-143,145-151,153-159
Thread(s) per core:   1
Core(s) per socket:   5
Socket(s):            4
NUMA node(s):         4
Model:                2.1 (pvr 004b 0201)
Model name:           POWER8E (raw), altivec supported
CPU max MHz:          3690.0000
CPU min MHz:          2061.0000
L1d cache:            64K
L1i cache:            32K
L2 cache:             512K
L3 cache:             8192K
NUMA node0 CPU(s):    0,8,16,24,32
NUMA node1 CPU(s):    40,48,56,64,72
NUMA node16 CPU(s):   80,88,96,104,112
NUMA node17 CPU(s):   120,128,136,144,152


How reproducible:
100 %

Steps to Reproduce:
1. #virsh net-start default 



Actual results:
error: Failed to start network default
error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.

Expected results:
virbr0 should be started and virsh net-list should show active


Additional info:
Comment 1 Daniel Berrangé 2019-02-26 12:05:22 UTC 
(In reply to Satheesh Rajendran from comment #0)
> Description of problem:
> 
> Can't start default(virbr0) network
> 
> #virsh net-start default 
> error: Failed to start network default
> error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert
> LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67
> --jump ACCEPT' failed: iptables: No chain/target/match by that name.

That is complaining that LIBVIRT_INP chain doesn't exist. This is something libvirt will create at startup. If it is missing it suggests someone or something has deleted libvirt's chains. Did you manually restart firewall init script, or have you restarted firewalld or otherwise caused firewall to be flushed ?  

Restarting libvirtd service should probably fix it.
Comment 2 Satheesh Rajendran 2019-02-26 12:14:58 UTC 
(In reply to Daniel Berrange from comment #1)
> (In reply to Satheesh Rajendran from comment #0)
> > Description of problem:
> > 
> > Can't start default(virbr0) network
> > 
> > #virsh net-start default 
> > error: Failed to start network default
> > error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert
> > LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67
> > --jump ACCEPT' failed: iptables: No chain/target/match by that name.
> 
> That is complaining that LIBVIRT_INP chain doesn't exist. This is something
> libvirt will create at startup. If it is missing it suggests someone or
> something has deleted libvirt's chains. Did you manually restart firewall
> init script, or have you restarted firewalld or otherwise caused firewall to
> be flushed ?  
> 
> Restarting libvirtd service should probably fix it.

Did try that, no help

# service libvirtd restart
Redirecting to /bin/systemctl restart libvirtd.service
[root@ltc-test-ci2 ~]# [ 2244.452873] virbr0: port 1(virbr0-nic) entered blocking state
[ 2244.452897] virbr0: port 1(virbr0-nic) entered disabled state
[ 2244.452974] device virbr0-nic entered promiscuous mode
[ 2244.563753] device virbr0-nic left promiscuous mode
[ 2244.563780] virbr0: port 1(virbr0-nic) entered disabled state

# virsh net-list --all
 Name      State      Autostart   Persistent
----------------------------------------------
 default   inactive   yes         yes

# virsh net-start default
[ 2281.761768] virbr0: port 1(virbr0-nic) entered blocking state
[ 2281.761792] virbr0: port 1(virbr0-nic) entered disabled state
[ 2281.761878] device virbr0-nic entered promiscuous mode
[ 2281.861972] device virbr0-nic left promiscuous mode
[ 2281.861996] virbr0: port 1(virbr0-nic) entered disabled state
error: Failed to start network default
error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.


# service libvirtd status
Redirecting to /bin/systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor pr>
   Active: active (running) since Tue 2019-02-26 07:11:36 EST; 1min 17s ago
     Docs: man:libvirtd(8)
           https://libvirt.org
 Main PID: 140411 (libvirtd)
   Memory: 72.1M
   CGroup: /system.slice/libvirtd.service
           └─140411 /usr/sbin/libvirtd

Feb 26 07:11:35 x.x.x.x systemd[1]: Starting Virtualiz>
Feb 26 07:11:36 x.x.x.x  systemd[1]: Started Virtualiza>
Comment 3 Satheesh Rajendran 2019-02-26 12:22:33 UTC 
# service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-02-26 06:35:40 EST; 45min ago
     Docs: man:firewalld(1)
 Main PID: 9613 (firewalld)
   Memory: 149.5M
   CGroup: /system.slice/firewalld.service
           └─9613 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --destination 192.16>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --source 192.168.122>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX --in-interface virbr>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --out-interface virb>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --in-interface virbr>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT --out-interface virb>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr>
Feb 26 07:16:46 x.x.x.x firewalld[9613]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr>
Comment 4 Daniel Berrangé 2019-02-26 12:35:08 UTC 
Can you provide the output of "iptables-save" when this error occurs..
Comment 5 Satheesh Rajendran 2019-02-26 12:47:15 UTC 
# iptables-save
# Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Feb 26 07:46:26 2019
# Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019
*mangle
:PREROUTING ACCEPT [193184:121808845]
:INPUT ACCEPT [191064:121396493]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117048:7343479]
:POSTROUTING ACCEPT [117058:7344273]
COMMIT
# Completed on Tue Feb 26 07:46:26 2019
# Generated by iptables-save v1.8.0 on Tue Feb 26 07:46:26 2019
*filter
:INPUT ACCEPT [191064:121396493]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117050:7344067]
COMMIT
# Completed on Tue Feb 26 07:46:26 2019
Comment 6 Satheesh Rajendran 2019-02-26 12:56:08 UTC 
firewall-cmd --complete-reload fails with iptables issue, not sure if related..



#firewall-cmd --complete-reload
Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): iptables-restore: unable to initialize table 'security'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Comment 7 Daniel Berrangé 2019-02-26 13:35:21 UTC 
> 5.0.0-rc7-ged2e2a772

This isn't a Fedora kernel AFAICT. Can you ensure you are running an official Fedora kernel build & try to reproduce. This will identify whether its caused by a missing feature in your kernel build.
Comment 8 Satheesh Rajendran 2019-02-27 05:38:21 UTC 
Thanks, looks like an issue with compiled kernel, did use `ppc64le_defconfig` for compile, needs to check if any more configs to be enabled.

With fedora rawhide kernel bridge network starts fine...
# uname -r
5.0.0-0.rc6.git1.1.fc30.ppc64le

# virsh net-list 
 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes


# iptables-save
# Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019
*nat
:PREROUTING ACCEPT [6615:680980]
:INPUT ACCEPT [6:851]
:OUTPUT ACCEPT [50:3783]
:POSTROUTING ACCEPT [50:3783]
:LIBVIRT_PRT - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING_ZONES -o net0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i net0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Wed Feb 27 00:36:54 2019
# Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019
*mangle
:PREROUTING ACCEPT [6888:729401]
:INPUT ACCEPT [6576:668686]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [212:36466]
:POSTROUTING ACCEPT [226:38304]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:LIBVIRT_PRT - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -j POSTROUTING_direct
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A PREROUTING_ZONES -i net0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Wed Feb 27 00:36:54 2019
# Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019
*raw
:PREROUTING ACCEPT [6965:739553]
:OUTPUT ACCEPT [245:39683]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i net0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Wed Feb 27 00:36:54 2019
# Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019
*security
:INPUT ACCEPT [309:54308]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [245:39683]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Feb 27 00:36:54 2019
# Generated by iptables-save v1.8.0 on Wed Feb 27 00:36:54 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [212:36466]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j LIBVIRT_INP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j LIBVIRT_OUT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i net0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o net0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i net0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Feb 27 00:36:54 2019
Comment 9 Satheesh Rajendran 2019-02-27 08:57:59 UTC 
Created attachment 1539085 [details]
fedora and upstream config diff

Needs a help in identifying relevant configs to be enabled.
attached config diff output of fedora(30 rawhide)(left side) and upstream(ppc64le_defconfig)(right side).
Comment 10 Daniel Berrangé 2019-02-27 09:16:22 UTC 
You've got *loads* of missing config options related to iptables/ebtables/etc in that config, so it is no wonder even basic firewall rules don't work. Please just use a regular distro kernel as we don't have time to spare debugging minimalistic kernel configs.
Comment 11 michelemase 2019-03-15 12:14:02 UTC 
libvirtd (libvirt) 5.1.0, kernel 5.0.2, XUbuntu 18.10, iptables v1.6.1

I think something is missing|wrong from firewall rules creation. I've an ubuntu custom kernel system, with the same problem:
#virsh net-start default 
error: Failed to start network default
error: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: No chain/target/match by that name.

Debugging and debugging, i solved this problem with a workaround:

*manually create the iptables rules (script)
*start the default network as usual

Libvirt prior release 5.1.0 didn't use naming chain (only chains INPUT, FORWARD and OUTPUT)

script:

#!/bin/bash
#you must be root
#https://www.spinics.net/linux/fedora/libvir/msg178415.html
#not necessary, this works
#/usr/bin/tunctl -t virbr0-nic
#brctl addbr virbr0
#brctl addif virbr0 virbr0-nic
#brctl stp virbr0 on

#filter table
iptables -t filter -N LIBVIRT_FWI
iptables -t filter -N LIBVIRT_FWO
iptables -t filter -N LIBVIRT_FWX
iptables -t filter -N LIBVIRT_INP
iptables -t filter -N LIBVIRT_OUT
iptables -t filter -A INPUT -j LIBVIRT_INP
iptables -t filter -A FORWARD -j LIBVIRT_FWX
iptables -t filter -A FORWARD -j LIBVIRT_FWI
iptables -t filter -A FORWARD -j LIBVIRT_FWO
iptables -t filter -A OUTPUT -j LIBVIRT_OUT
iptables -t filter -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
iptables -t filter -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
iptables -t filter -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
iptables -t filter -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -t filter -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
iptables -t filter -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
iptables -t filter -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
#nat table
iptables -t nat -N LIBVIRT_PRT
iptables -t nat -A POSTROUTING -j LIBVIRT_PRT
iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
#mangle table
iptables -t mangle -N LIBVIRT_PRT
iptables -t mangle -A POSTROUTING -j LIBVIRT_PRT
iptables -t mangle -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill


hope this helps
Regards
Michele Masè
Comment 12 michelemase 2019-03-19 15:33:16 UTC 
For custom kernel, you must have ipv6 support too, included:
ip6_tables
p6table_filter

sample:

CONFIG_IPV6=m
# CONFIG_IPV6_ROUTER_PREF is not set
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
# CONFIG_IPV6_MIP6 is not set
# CONFIG_IPV6_ILA is not set
# CONFIG_IPV6_VTI is not set
CONFIG_IPV6_SIT=m
# CONFIG_IPV6_SIT_6RD is not set
CONFIG_IPV6_NDISC_NODETYPE=y
# CONFIG_IPV6_TUNNEL is not set
CONFIG_IPV6_FOU=m
# CONFIG_IPV6_MULTIPLE_TABLES is not set
# CONFIG_IPV6_MROUTE is not set
# CONFIG_IPV6_SEG6_LWTUNNEL is not set
# CONFIG_IPV6_SEG6_HMAC is not set
CONFIG_IP_VS_IPV6=y
CONFIG_NF_SOCKET_IPV6=m
CONFIG_NF_TPROXY_IPV6=m
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_REJECT_IPV6=m
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NF_FLOW_TABLE_IPV6 is not set
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_NF_NAT_IPV6=m
CONFIG_NF_NAT_MASQUERADE_IPV6=y
# CONFIG_IP6_NF_MATCH_IPV6HEADER is not set
CONFIG_NF_DEFRAG_IPV6=m

Regards
Michele Masè
Comment 13 Daniel Berrangé 2019-03-19 15:35:39 UTC 
The situation is improved in current git master with this https://www.redhat.com/archives/libvir-list/2019-March/msg01218.html
Comment 14 Albert Hopkins 2019-03-23 20:28:21 UTC 
I'm also experiencing this issue on Gentoo Linux/systemd with a custom kernel.  If I run the script from comment #11 everything is cool, but for some reason the rules don't get applied when I (re)start the service.
Comment 15 Albert Hopkins 2019-03-23 20:47:24 UTC 
Nm.. I read the rest of the comments/patches.  I'm probably missing some ipv6 stuff in my kernel.  Will try the latest patches.
Note You need to log in before you can comment on or make changes to this bug.