https://bugzilla.novell.com/show_bug.cgi?id=641065 https://bugzilla.novell.com/show_bug.cgi?id=641065#c0 Summary: libvirt net filtering system is mostly broken Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: zhubr@mail.ru QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=390940) --> (http://bugzilla.novell.com/attachment.cgi?id=390940) This patch solves the problem for me. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Even the simplest libvirt net filters did not work for me (niether custom nor built-in ones). No relevant errors/warnings (or even debug/infos) were generated even with the highest loglevel, however no rules appeared in iptables upon VM startup (other than the built-in DNS stuff) and I could see from within the VM that indeed my ip rules were not enforced. Well, I started digging into the code and found some rather strange thing in nwfilter_gentech_driver.c That is, if both IP and MAC are explicitely specified for a filter (this is my case), and no ip learning was running yet, the filter AFAICS should simply be applied immediately as there is nothing else to wait for. Yet, the code just silently skipped to err_exit with 0 error code in such case. Please see the attached patch which fixes instantiation in such case, along with adding some _really_ _really_ usefull debugging messages. Reproducible: Always Steps to Reproduce: 1. Add a pre-defined or custom filter to some test domain. Make sure you specify both IP and MAC values inside your filterref. 2. Start this domain. (In fact there is no need to even have any OS installed there) 3. Check iptables-save and a detailed libvirt log to see that all your filter's rules were silently ignored. Actual Results: Filtering rules prescribed by filterref in domain definition are not applied and no error/warning issued either. Expected Results: Filtering rules prescribed by filterref in domain definition are either applied or VM refuses to start and some error is displayed explaining what is wrong with the filter in question. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.