[Pkg-libvirt-maintainers] Bug#636712: Bug#636712: libvirt-bin: cannot create rule since iptables tool is missing with custom nwfilters

Guido Günther agx at sigxcpu.org
Mon Aug 8 22:44:47 UTC 2011 

Hi Luca,
On Fri, Aug 05, 2011 at 05:05:23PM +0200, Luca Capello wrote:
> Package: libvirt-bin
> Version: 0.8.3-5+squeeze2
> Severity: important
> 
> Hi there!
> 
> I would like to add network filters [1] to accept various kind of
> incoming traffics (e.g. HTTP) and thus I read the documentation at:
> 
>   <http://libvirt.org/formatnwfilter.html>
> 
> [1] despite myself not being a firewall guru, I fail to understand why
>     we need yet another format to define filters instead of using the
>     iptables syntax by default or adding something like the ifupdown's
>     options (in this case post-up and pre-down)...
> 
> However, adding a simple filter like the following causes an error:
> =====
> # cat /etc/libvirt/nwfilter/allow-http.xml
> <filter name='allow-http' chain='ipv4'>
>   <rule action='accept' direction='in' >
>     <tcp dstportstart='80' />
>   </rule>
> </filter>

It works here with a very similar rule for ssh accept:

Chain FI-vnet0 (1 references)
target     prot opt source               destination         
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED ctdir ORIGINAL

Chain FO-vnet0 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED ctdir REPLY

Chain HI-vnet0 (1 references)
target     prot opt source               destination         
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED ctdir ORIGINAL

Could you check /var/log/libvirt/libvirtd.log? If there's nothing
interesting in there try running

/etc/init.d/libvirt-bin stop
LIBVIRT_DEBUG=1 libvirtd -v

and attach the output to this bug please.

> 
> # grep allow-http /etc/libvirt/qemu/shelob.pca.it.xml
>       <filterref filter='allow-http'/>
> 
> # service libvirt-bin restart
> 
> # less /var/log/syslog
> [...]
> Aug  5 16:27:55 mantissa libvirtd: 16:27:55.999: error : virRunWithHook:857 : \
>  internal error '/sbin/iptables --table filter --delete INPUT --in-interface virbr0 \
>  --protocol udp --destination-port 69 --jump ACCEPT' exited with non-zero status 1 \
>  and signal 0: iptables: Bad rule (does a matching rule exist in that chain?).#012
> Aug  5 16:27:56 mantissa libvirtd: 16:27:56.404: error : ebiptablesDriverInit:3416 : \
>  internal error essential tools to support ip(6)tables firewalls could not be located
> Aug  5 16:27:56 mantissa libvirtd: 16:27:56.406: warning : qemudStartup:1832 : \
>  Unable to create cgroup for driver: No such device or address
> Aug  5 16:27:56 mantissa libvirtd: 16:27:56.494: warning : qemudParsePCIDeviceStrs:1422 : \
>  Unexpected exit status '1', qemu probably failed
> Aug  5 16:27:56 mantissa libvirtd: 16:27:56.498: error : _iptablesCreateRuleInstance:1113 : \
>  internal error cannot create rule since iptables tool is missing.
> Aug  5 16:27:56 mantissa kernel: [312791.663024] device vnet0 entered promiscuous mode
> Aug  5 16:27:56 mantissa kernel: [312791.664044] virbr0: topology change detected, propagating
> Aug  5 16:27:56 mantissa kernel: [312791.664047] virbr0: port 1(vnet0) entering forwarding state
> Aug  5 16:27:56 mantissa kernel: [312791.682240] virbr0: port 1(vnet0) entering disabled state
> Aug  5 16:27:56 mantissa kernel: [312791.701260] device vnet0 left promiscuous mode
> Aug  5 16:27:56 mantissa kernel: [312791.701262] virbr0: port 1(vnet0) entering disabled state
> Aug  5 16:27:56 mantissa libvirtd: 16:27:56.596: error : qemuAutostartDomain:827 : \
>  Failed to autostart VM 'shelob.pca.it': internal error cannot create rule since iptables tool is missing.
> Aug  5 16:27:56 mantissa libvirtd: 16:27:56.654: warning : lxcStartup:1900 : \
>  Unable to create cgroup for driver: No such device or address
> =====
> 
> The first error is #592177 (with its clones #615907 and #626166), the
> other errors about essential or iptables tools missing are still
> puzzling my brain for an explication :-|

#592177 should be fixed with 0.9.4~rc1. 0.9.4 is about to be uploaed to
unstable pending a LFS fix.
Cheers,
 -- Guido



> 
> NB, I do not have install-recommends on by default, but I have both
>     ebtables and iptables installed.  I tried installing libxml2-utils,
>     but the error is still present.
> 
> Thx, bye,
> Gismo / Luca
> 
> -- System Information:
> Debian Release: 6.0.2
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages libvirt-bin depends on:
> ii  adduser            3.112+nmu2            add and remove users and groups
> ii  libavahi-client3   0.6.27-2+squeeze1     Avahi client library
> ii  libavahi-common3   0.6.27-2+squeeze1     Avahi common library
> ii  libblkid1          2.17.2-9              block device id library
> ii  libc6              2.11.2-10             Embedded GNU C Library: Shared lib
> ii  libcap-ng0         0.6.4-1               An alternate posix capabilities li
> ii  libdevmapper1.02.1 2:1.02.48-5           The Linux Kernel Device Mapper use
> ii  libgcrypt11        1.4.5-2               LGPL Crypto library - runtime libr
> ii  libgnutls26        2.8.6-1               the GNU TLS library - runtime libr
> ii  libnl1             1.1-6                 library for dealing with netlink s
> ii  libparted0debian1  2.3-5                 The GNU Parted disk partitioning s
> ii  libpciaccess0      0.12.0-1              Generic PCI access library for X
> ii  libreadline6       6.1-3                 GNU readline and history libraries
> ii  libsasl2-2         2.1.23.dfsg1-7        Cyrus SASL - authentication abstra
> ii  libudev0           164-3                 libudev shared library
> ii  libuuid1           2.17.2-9              Universally Unique ID library
> ii  libvirt0           0.8.3-5+squeeze2      library for interfacing with diffe
> ii  libxenstore3.0     4.0.1-2               Xenstore communications library fo
> ii  libxml2            2.7.8.dfsg-2+squeeze1 GNOME XML library
> ii  logrotate          3.7.8-6               Log rotation utility
> 
> Versions of packages libvirt-bin recommends:
> ii  bridge-utils      1.4-5                  Utilities for configuring the Linu
> ii  dnsmasq-base      2.55-2                 A small caching DNS proxy and DHCP
> ii  ebtables          2.0.9.2-2              Ethernet bridge frame table admini
> pn  gawk              <none>                 (no description available)
> ii  iptables          1.4.8-3                administration tools for packet fi
> pn  libxml2-utils     <none>                 (no description available)
> ii  netcat-openbsd    1.89-4                 TCP/IP swiss army knife
> ii  qemu-kvm          0.12.5+dfsg-5+squeeze6 Full virtualization on x86 hardwar
> 
> Versions of packages libvirt-bin suggests:
> pn  policykit-1                   <none>     (no description available)
> 
> -- Configuration Files:
> /etc/libvirt/qemu/networks/default.xml changed:
> <network>
>   <name>default</name>
>   <bridge name="virbr0" />
>   <forward/>
>   <ip address="192.168.122.1" netmask="255.255.255.0">
>     <dhcp>
>       <range start="192.168.122.2" end="192.168.122.254" />
>       <host mac="52:54:00:42:2f:dc" name="shelob.pca.it" ip="192.168.122.2" />
>       <host mac="52:54:00:02:b0:a6" name="mahnamahna.pca.it" ip="192.168.122.3" />
>     </dhcp>
>   </ip>
> </network>
> 
> 
> -- no debconf information



> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> Pkg-libvirt-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers

More information about the Pkg-libvirt-maintainers mailing list