You are not logged in.
- Topics: Active | Unanswered
#1 2016-03-08 10:24:25
- Carceri
- Member
- Registered: 2016-03-08
- Posts: 3
libvirtd modifies ebtables rules
I am running both docker and libvirtd on my machine and have a problem with libvirtd modifying the ebtables rules:
Currently the output of "ebtables -t filter -L" looks like this:
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 7, policy: ACCEPT
-j libvirt_qemu_FORWARD
-j libvirt_qemu_FORWARD
-j libvirt_qemu_FORWARD
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: libvirt_qemu_FORWARD, entries: 0, policy: DROPThe problem are the rules inserted into the FORWARD chain. It keeps adding them for no apparent reason. Since the default rule for libvirt_qemu_FORWARD is DROP it means that all traffic forwarded on any bridge is dropped. This works fine for libvirt since i use NAT instead of bridge, but docker uses another bridge for communication between containers and now that fails.
If I change the default rule of libvirt_qemu_FORWARD to ACCEPT then docker works fine, but soon after that libvirtd inserts another rule in the FORWARD chain and resets the policy back to DROP.
Any idea on how to stop libvirt from doing this, or why it is even doing so in the first place.
Offline
#2 2016-03-08 11:52:38
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,489
Re: libvirtd modifies ebtables rules
Hi, welcome to the forums. I'm not running libvirt at current, but believe you can change that "default" behaviour with virsh on the command line. See here: http://wiki.libvirt.org/page/Networking … orks.22.29
and (more background): https://libvirt.org/firewall.html
Offline
#3 2016-03-08 19:44:34
- Carceri
- Member
- Registered: 2016-03-08
- Posts: 3
Re: libvirtd modifies ebtables rules
Thanks! Long time Arch user, but first time I had a reason to actually post something here 
I have been through that document, but didn't find anything that would explain my problem. It describes the iptables rules that are added when i use bridge + NAT and they work fine. It's that single rule it keeps adding using ebtables that bothers me.
Currently I just disabled libvirtd since I don't need it at the moment, but at some point in time I will need it again, so I am still looking for a solution. Looks like a bug in libvirtd, so I guess I might have to report it upstream.
Offline
#4 2016-03-08 21:18:37
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,489
Re: libvirtd modifies ebtables rules
Have a look at "The network filter driver" part of https://libvirt.org/firewall.html
The commands are listed there to output and change its ebtables/iptables rules.
Offline