Hi Luca, On Fri, Aug 05, 2011 at 05:05:23PM +0200, Luca Capello wrote: > Package: libvirt-bin > Version: 0.8.3-5+squeeze2 > Severity: important > > Hi there! > > I would like to add network filters [1] to accept various kind of > incoming traffics (e.g. HTTP) and thus I read the documentation at: > > <http://libvirt.org/formatnwfilter.html> > > [1] despite myself not being a firewall guru, I fail to understand why > we need yet another format to define filters instead of using the > iptables syntax by default or adding something like the ifupdown's > options (in this case post-up and pre-down)... > > However, adding a simple filter like the following causes an error: > ===== > # cat /etc/libvirt/nwfilter/allow-http.xml > <filter name='allow-http' chain='ipv4'> > <rule action='accept' direction='in' > > <tcp dstportstart='80' /> > </rule> > </filter>
It works here with a very similar rule for ssh accept: Chain FI-vnet0 (1 references) target prot opt source destination RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED ctdir ORIGINAL Chain FO-vnet0 (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED ctdir REPLY Chain HI-vnet0 (1 references) target prot opt source destination RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED ctdir ORIGINAL Could you check /var/log/libvirt/libvirtd.log? If there's nothing interesting in there try running /etc/init.d/libvirt-bin stop LIBVIRT_DEBUG=1 libvirtd -v and attach the output to this bug please. > > # grep allow-http /etc/libvirt/qemu/shelob.pca.it.xml > <filterref filter='allow-http'/> > > # service libvirt-bin restart > > # less /var/log/syslog > [...] > Aug 5 16:27:55 mantissa libvirtd: 16:27:55.999: error : virRunWithHook:857 : > \ > internal error '/sbin/iptables --table filter --delete INPUT --in-interface > virbr0 \ > --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero > status 1 \ > and signal 0: iptables: Bad rule (does a matching rule exist in that > chain?).#012 > Aug 5 16:27:56 mantissa libvirtd: 16:27:56.404: error : > ebiptablesDriverInit:3416 : \ > internal error essential tools to support ip(6)tables firewalls could not be > located > Aug 5 16:27:56 mantissa libvirtd: 16:27:56.406: warning : qemudStartup:1832 > : \ > Unable to create cgroup for driver: No such device or address > Aug 5 16:27:56 mantissa libvirtd: 16:27:56.494: warning : > qemudParsePCIDeviceStrs:1422 : \ > Unexpected exit status '1', qemu probably failed > Aug 5 16:27:56 mantissa libvirtd: 16:27:56.498: error : > _iptablesCreateRuleInstance:1113 : \ > internal error cannot create rule since iptables tool is missing. > Aug 5 16:27:56 mantissa kernel: [312791.663024] device vnet0 entered > promiscuous mode > Aug 5 16:27:56 mantissa kernel: [312791.664044] virbr0: topology change > detected, propagating > Aug 5 16:27:56 mantissa kernel: [312791.664047] virbr0: port 1(vnet0) > entering forwarding state > Aug 5 16:27:56 mantissa kernel: [312791.682240] virbr0: port 1(vnet0) > entering disabled state > Aug 5 16:27:56 mantissa kernel: [312791.701260] device vnet0 left > promiscuous mode > Aug 5 16:27:56 mantissa kernel: [312791.701262] virbr0: port 1(vnet0) > entering disabled state > Aug 5 16:27:56 mantissa libvirtd: 16:27:56.596: error : > qemuAutostartDomain:827 : \ > Failed to autostart VM 'shelob.pca.it': internal error cannot create rule > since iptables tool is missing. > Aug 5 16:27:56 mantissa libvirtd: 16:27:56.654: warning : lxcStartup:1900 : \ > Unable to create cgroup for driver: No such device or address > ===== > > The first error is #592177 (with its clones #615907 and #626166), the > other errors about essential or iptables tools missing are still > puzzling my brain for an explication :-| #592177 should be fixed with 0.9.4~rc1. 0.9.4 is about to be uploaed to unstable pending a LFS fix. Cheers, -- Guido > > NB, I do not have install-recommends on by default, but I have both > ebtables and iptables installed. I tried installing libxml2-utils, > but the error is still present. > > Thx, bye, > Gismo / Luca > > -- System Information: > Debian Release: 6.0.2 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages libvirt-bin depends on: > ii adduser 3.112+nmu2 add and remove users and groups > ii libavahi-client3 0.6.27-2+squeeze1 Avahi client library > ii libavahi-common3 0.6.27-2+squeeze1 Avahi common library > ii libblkid1 2.17.2-9 block device id library > ii libc6 2.11.2-10 Embedded GNU C Library: Shared > lib > ii libcap-ng0 0.6.4-1 An alternate posix capabilities > li > ii libdevmapper1.02.1 2:1.02.48-5 The Linux Kernel Device Mapper > use > ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime > libr > ii libgnutls26 2.8.6-1 the GNU TLS library - runtime > libr > ii libnl1 1.1-6 library for dealing with netlink > s > ii libparted0debian1 2.3-5 The GNU Parted disk partitioning > s > ii libpciaccess0 0.12.0-1 Generic PCI access library for X > ii libreadline6 6.1-3 GNU readline and history > libraries > ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication > abstra > ii libudev0 164-3 libudev shared library > ii libuuid1 2.17.2-9 Universally Unique ID library > ii libvirt0 0.8.3-5+squeeze2 library for interfacing with > diffe > ii libxenstore3.0 4.0.1-2 Xenstore communications library > fo > ii libxml2 2.7.8.dfsg-2+squeeze1 GNOME XML library > ii logrotate 3.7.8-6 Log rotation utility > > Versions of packages libvirt-bin recommends: > ii bridge-utils 1.4-5 Utilities for configuring the > Linu > ii dnsmasq-base 2.55-2 A small caching DNS proxy and > DHCP > ii ebtables 2.0.9.2-2 Ethernet bridge frame table > admini > pn gawk <none> (no description available) > ii iptables 1.4.8-3 administration tools for packet > fi > pn libxml2-utils <none> (no description available) > ii netcat-openbsd 1.89-4 TCP/IP swiss army knife > ii qemu-kvm 0.12.5+dfsg-5+squeeze6 Full virtualization on x86 > hardwar > > Versions of packages libvirt-bin suggests: > pn policykit-1 <none> (no description available) > > -- Configuration Files: > /etc/libvirt/qemu/networks/default.xml changed: > <network> > <name>default</name> > <bridge name="virbr0" /> > <forward/> > <ip address="192.168.122.1" netmask="255.255.255.0"> > <dhcp> > <range start="192.168.122.2" end="192.168.122.254" /> > <host mac="52:54:00:42:2f:dc" name="shelob.pca.it" ip="192.168.122.2" /> > <host mac="52:54:00:02:b0:a6" name="mahnamahna.pca.it" > ip="192.168.122.3" /> > </dhcp> > </ip> > </network> > > > -- no debconf information > _______________________________________________ > Pkg-libvirt-maintainers mailing list > pkg-libvirt-maintain...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
