You are not logged in.

#1 2016-03-08 10:24:25

Carceri
Member
Registered: 2016-03-08
Posts: 3

libvirtd modifies ebtables rules

I am running both docker and libvirtd on my machine and have a problem with libvirtd modifying the ebtables rules:

Currently the output of "ebtables -t filter -L" looks like this:

Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 7, policy: ACCEPT
-j libvirt_qemu_FORWARD
-j libvirt_qemu_FORWARD
-j libvirt_qemu_FORWARD

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: libvirt_qemu_FORWARD, entries: 0, policy: DROP

The problem are the rules inserted into the FORWARD chain. It keeps adding them for no apparent reason. Since the default rule for libvirt_qemu_FORWARD is DROP it means that all traffic forwarded on any bridge is dropped. This works fine for libvirt since i use NAT instead of bridge, but docker uses another bridge for communication between containers and now that fails.

If I change the default rule of libvirt_qemu_FORWARD to ACCEPT then docker works fine, but soon after that libvirtd inserts another rule in the FORWARD chain and resets the policy back to DROP.

Any idea on how to stop libvirt from doing this, or why it is even doing so in the first place.

Offline

#2 2016-03-08 11:52:38

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: libvirtd modifies ebtables rules

Hi, welcome to the forums. I'm not running libvirt at current, but believe you can change that "default" behaviour with virsh on the command line. See here: http://wiki.libvirt.org/page/Networking … orks.22.29
and (more background): https://libvirt.org/firewall.html

Offline

#3 2016-03-08 19:44:34

Carceri
Member
Registered: 2016-03-08
Posts: 3

Re: libvirtd modifies ebtables rules

Thanks! Long time Arch user, but first time I had a reason to actually post something here smile

I have been through that document, but didn't find anything that would explain my problem. It describes the iptables rules that are added when i use bridge + NAT and they work fine. It's that single rule it keeps adding using ebtables that bothers me.

Currently I just disabled libvirtd since I don't need it at the moment, but at some point in time I will need it again, so I am still looking for a solution. Looks like a bug in libvirtd, so I guess I might have to report it upstream.

Offline

#4 2016-03-08 21:18:37

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: libvirtd modifies ebtables rules

Have a look at "The network filter driver" part of https://libvirt.org/firewall.html
The commands are listed there to output and change its ebtables/iptables rules.

Offline

Board footer

Powered by FluxBB