Created attachment 765686 [details] virt-manager configuration of a switch Description of problem: I tried installing a guest using -w bridge=switch and the guest could not get a DHCP address. Then I did 'iptables -F' and suddenly the guest could get the DHCP address. This problem shows up if I use virt-manager (see attached image of configuration) or virt-install: virt-install -l http://192.168.2.251/tftpboot/lab/tst031/f19-x86_64 --ram 1024 --disk /dev/vg_guests/guest2 --name F19-64 -w bridge=switch [root@tst031 network-scripts]# cat ifcfg-switch DEVICE=switch TYPE=Bridge BOOTPROTO=dhcp ONBOOT=yes DELAY=0 USERCTL=no NM_CONTROLLED=no [root@tst031 network-scripts]# cat ifcfg-em1 # Generated by dracut initrd DEVICE="em1" ONBOOT=yes BOOTPROTO=none BRIDGE="switch" UUID="d211e3b6-e501-4126-a1c2-6e838a0e2e5b" HWADDR="00:22:4d:69:de:00" TYPE=Ethernet NAME="em1" [root@tst031 network-scripts]# brctl show bridge name bridge id STP enabled interfaces switch 0080.00224d69de00 no em1 vif4.0 virbr0 8000.000000000000 yes iptables: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 49451 157M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 120 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 110 21761 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 110 21761 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 9 720 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 63 11577 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 44 9077 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 44 9077 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 44 9077 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 44 9077 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 135 packets, 73970 bytes) pkts bytes target prot opt in out source destination 58258 65M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD_IN_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDI_ZONE_public all -- p1p2 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDI_ZONE_public all -- p1p1 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDI_ZONE_public all -- em1 * 0.0.0.0/0 0.0.0.0/0 [goto] 44 9077 FWDI_ZONE_public all -- switch * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDI_ZONE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_OUT_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDO_ZONE_public all -- * p1p2 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_ZONE_public all -- * p1p1 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_ZONE_public all -- * em1 0.0.0.0/0 0.0.0.0/0 [goto] 44 9077 FWDO_ZONE_public all -- * switch 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_ZONE_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_direct (1 references) pkts bytes target prot opt in out source destination Chain FWDI_ZONE_public (5 references) pkts bytes target prot opt in out source destination 44 9077 FWDI_ZONE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 44 9077 FWDI_ZONE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 44 9077 FWDI_ZONE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDI_ZONE_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDI_ZONE_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDI_ZONE_public_log (1 references) pkts bytes target prot opt in out source destination Chain FWDO_ZONE_external (0 references) pkts bytes target prot opt in out source destination 0 0 FWDO_ZONE_external_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_ZONE_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_ZONE_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_ZONE_external_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_ZONE_external_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDO_ZONE_external_log (1 references) pkts bytes target prot opt in out source destination Chain FWDO_ZONE_public (5 references) pkts bytes target prot opt in out source destination 44 9077 FWDO_ZONE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 44 9077 FWDO_ZONE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 44 9077 FWDO_ZONE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_ZONE_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDO_ZONE_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDO_ZONE_public_log (1 references) pkts bytes target prot opt in out source destination Chain INPUT_ZONES (1 references) pkts bytes target prot opt in out source destination 53 5337 IN_ZONE_public all -- p1p2 * 0.0.0.0/0 0.0.0.0/0 [goto] 11 3173 IN_ZONE_public all -- p1p1 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 IN_ZONE_public all -- em1 * 0.0.0.0/0 0.0.0.0/0 [goto] 37 11452 IN_ZONE_public all -- switch * 0.0.0.0/0 0.0.0.0/0 [goto] 9 1799 IN_ZONE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain INPUT_direct (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_dmz (0 references) pkts bytes target prot opt in out source destination 0 0 IN_ZONE_dmz_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_dmz_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_dmz_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_ZONE_dmz_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW Chain IN_ZONE_dmz_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_dmz_log (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_external (0 references) pkts bytes target prot opt in out source destination 0 0 IN_ZONE_external_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_ZONE_external_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW Chain IN_ZONE_external_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_external_log (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_home (0 references) pkts bytes target prot opt in out source destination 0 0 IN_ZONE_home_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_home_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_home_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_ZONE_home_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW Chain IN_ZONE_home_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_home_log (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_internal (0 references) pkts bytes target prot opt in out source destination 0 0 IN_ZONE_internal_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_internal_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_internal_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_ZONE_internal_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW Chain IN_ZONE_internal_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_internal_log (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_public (5 references) pkts bytes target prot opt in out source destination 110 21761 IN_ZONE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 110 21761 IN_ZONE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 110 21761 IN_ZONE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_ZONE_public_allow (1 references) pkts bytes target prot opt in out source destination 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 36 9344 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW Chain IN_ZONE_public_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_public_log (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_work (0 references) pkts bytes target prot opt in out source destination 0 0 IN_ZONE_work_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_work_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 IN_ZONE_work_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_ZONE_work_allow (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ctstate NEW Chain IN_ZONE_work_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_ZONE_work_log (1 references) pkts bytes target prot opt in out source destination Chain OUTPUT_direct (1 references) pkts bytes target prot opt in out source destination Version-Release number of selected component (if applicable): [root@tst031 network-scripts]# rpm -qa | grep virt virt-install-0.10.0-0.5.gitde1695b2.fc19.noarch libvirt-daemon-xen-1.0.5.1-1.fc19.x86_64 libvirt-daemon-driver-nwfilter-1.0.5.1-1.fc19.x86_64 libvirt-daemon-config-network-1.0.5.1-1.fc19.x86_64 libvirt-daemon-driver-secret-1.0.5.1-1.fc19.x86_64 libvirt-client-1.0.5.1-1.fc19.x86_64 libvirt-gobject-0.1.6-1.fc19.x86_64 libvirt-daemon-1.0.5.1-1.fc19.x86_64 virt-viewer-0.5.6-1.fc19.x86_64 libvirt-daemon-driver-nodedev-1.0.5.1-1.fc19.x86_64 libvirt-daemon-kvm-1.0.5.1-1.fc19.x86_64 virt-manager-0.10.0-0.5.gitde1695b2.fc19.noarch libvirt-daemon-driver-qemu-1.0.5.1-1.fc19.x86_64 virt-manager-common-0.10.0-0.5.gitde1695b2.fc19.noarch libvirt-daemon-driver-libxl-1.0.5.1-1.fc19.x86_64 libvirt-glib-0.1.6-1.fc19.x86_64 libgovirt-0.0.3-2.fc19.x86_64 libvirt-daemon-driver-storage-1.0.5.1-1.fc19.x86_64 libvirt-daemon-driver-interface-1.0.5.1-1.fc19.x86_64 libvirt-daemon-driver-network-1.0.5.1-1.fc19.x86_64 libvirt-gconfig-0.1.6-1.fc19.x86_64 libvirt-python-1.0.5.1-1.fc19.x86_64 libvirt-daemon-driver-xen-1.0.5.1-1.fc19.x86_64 How reproducible: 100% Steps to Reproduce: 1. Setup a bridge, say called 'switch' 2. Run virt-install with the -w bridge=switch, as so: virt-install -l http://192.168.2.251/tftpboot/lab/tst031/f19-x86_64 --ram 1024 --disk /dev/vg_guests/guest2 --name F19-64 -w bridge=switch 3. See the guest not being able to get DHCP addresses. Actual results: See attached screenshot of virt-viewer (sorry, can't copy-n-paste it) Expected results: A normal installation Additional info: If I do 'iptables -F' it works :-)
Created attachment 765687 [details] Guest 'journalctl' when it could not get a DHCP address.
Bug 978443 got me changing my default bridge to use 'xenbr0' and sure enough if I use that it works great! virt-install -l http://192.168.2.251/tftpboot/lab/tst031/f19-x86_64 --ram 1024 --disk /dev/vg_guests/guest2 --name F19-64 --force -w bridge=xenbr0
Yeah, libvirt only touches iptables if you use the virtual network integration. If you tell it to use a raw bridge it won't touch anything. xenbr0 should already be the default for virt-install xen, maybe something broke there.