[Pkg-libvirt-maintainers] Bug#636712: libvirt-bin: cannot create rule since iptables tool is missing with custom nwfilters
Luca Capello
luca at pca.it
Fri Aug 5 15:05:23 UTC 2011
Package: libvirt-bin
Version: 0.8.3-5+squeeze2
Severity: important
Hi there!
I would like to add network filters [1] to accept various kind of
incoming traffics (e.g. HTTP) and thus I read the documentation at:
<http://libvirt.org/formatnwfilter.html>
[1] despite myself not being a firewall guru, I fail to understand why
we need yet another format to define filters instead of using the
iptables syntax by default or adding something like the ifupdown's
options (in this case post-up and pre-down)...
However, adding a simple filter like the following causes an error:
=====
# cat /etc/libvirt/nwfilter/allow-http.xml
<filter name='allow-http' chain='ipv4'>
<rule action='accept' direction='in' >
<tcp dstportstart='80' />
</rule>
</filter>
# grep allow-http /etc/libvirt/qemu/shelob.pca.it.xml
<filterref filter='allow-http'/>
# service libvirt-bin restart
# less /var/log/syslog
[...]
Aug 5 16:27:55 mantissa libvirtd: 16:27:55.999: error : virRunWithHook:857 : \
internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr0 \
--protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 \
and signal 0: iptables: Bad rule (does a matching rule exist in that chain?).#012
Aug 5 16:27:56 mantissa libvirtd: 16:27:56.404: error : ebiptablesDriverInit:3416 : \
internal error essential tools to support ip(6)tables firewalls could not be located
Aug 5 16:27:56 mantissa libvirtd: 16:27:56.406: warning : qemudStartup:1832 : \
Unable to create cgroup for driver: No such device or address
Aug 5 16:27:56 mantissa libvirtd: 16:27:56.494: warning : qemudParsePCIDeviceStrs:1422 : \
Unexpected exit status '1', qemu probably failed
Aug 5 16:27:56 mantissa libvirtd: 16:27:56.498: error : _iptablesCreateRuleInstance:1113 : \
internal error cannot create rule since iptables tool is missing.
Aug 5 16:27:56 mantissa kernel: [312791.663024] device vnet0 entered promiscuous mode
Aug 5 16:27:56 mantissa kernel: [312791.664044] virbr0: topology change detected, propagating
Aug 5 16:27:56 mantissa kernel: [312791.664047] virbr0: port 1(vnet0) entering forwarding state
Aug 5 16:27:56 mantissa kernel: [312791.682240] virbr0: port 1(vnet0) entering disabled state
Aug 5 16:27:56 mantissa kernel: [312791.701260] device vnet0 left promiscuous mode
Aug 5 16:27:56 mantissa kernel: [312791.701262] virbr0: port 1(vnet0) entering disabled state
Aug 5 16:27:56 mantissa libvirtd: 16:27:56.596: error : qemuAutostartDomain:827 : \
Failed to autostart VM 'shelob.pca.it': internal error cannot create rule since iptables tool is missing.
Aug 5 16:27:56 mantissa libvirtd: 16:27:56.654: warning : lxcStartup:1900 : \
Unable to create cgroup for driver: No such device or address
=====
The first error is #592177 (with its clones #615907 and #626166), the
other errors about essential or iptables tools missing are still
puzzling my brain for an explication :-|
NB, I do not have install-recommends on by default, but I have both
ebtables and iptables installed. I tried installing libxml2-utils,
but the error is still present.
Thx, bye,
Gismo / Luca
-- System Information:
Debian Release: 6.0.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libvirt-bin depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii libavahi-client3 0.6.27-2+squeeze1 Avahi client library
ii libavahi-common3 0.6.27-2+squeeze1 Avahi common library
ii libblkid1 2.17.2-9 block device id library
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcap-ng0 0.6.4-1 An alternate posix capabilities li
ii libdevmapper1.02.1 2:1.02.48-5 The Linux Kernel Device Mapper use
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libnl1 1.1-6 library for dealing with netlink s
ii libparted0debian1 2.3-5 The GNU Parted disk partitioning s
ii libpciaccess0 0.12.0-1 Generic PCI access library for X
ii libreadline6 6.1-3 GNU readline and history libraries
ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication abstra
ii libudev0 164-3 libudev shared library
ii libuuid1 2.17.2-9 Universally Unique ID library
ii libvirt0 0.8.3-5+squeeze2 library for interfacing with diffe
ii libxenstore3.0 4.0.1-2 Xenstore communications library fo
ii libxml2 2.7.8.dfsg-2+squeeze1 GNOME XML library
ii logrotate 3.7.8-6 Log rotation utility
Versions of packages libvirt-bin recommends:
ii bridge-utils 1.4-5 Utilities for configuring the Linu
ii dnsmasq-base 2.55-2 A small caching DNS proxy and DHCP
ii ebtables 2.0.9.2-2 Ethernet bridge frame table admini
pn gawk <none> (no description available)
ii iptables 1.4.8-3 administration tools for packet fi
pn libxml2-utils <none> (no description available)
ii netcat-openbsd 1.89-4 TCP/IP swiss army knife
ii qemu-kvm 0.12.5+dfsg-5+squeeze6 Full virtualization on x86 hardwar
Versions of packages libvirt-bin suggests:
pn policykit-1 <none> (no description available)
-- Configuration Files:
/etc/libvirt/qemu/networks/default.xml changed:
<network>
<name>default</name>
<bridge name="virbr0" />
<forward/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254" />
<host mac="52:54:00:42:2f:dc" name="shelob.pca.it" ip="192.168.122.2" />
<host mac="52:54:00:02:b0:a6" name="mahnamahna.pca.it" ip="192.168.122.3" />
</dhcp>
</ip>
</network>
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20110805/ff668673/attachment.pgp>
More information about the Pkg-libvirt-maintainers
mailing list