1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
peripherals: 0.985
VMM: 0.981
risc-v: 0.978
mistranslation: 0.975
hypervisor: 0.969
graphic: 0.965
register: 0.965
TCG: 0.964
permissions: 0.963
assembly: 0.961
KVM: 0.960
PID: 0.958
vnc: 0.956
device: 0.955
architecture: 0.952
virtual: 0.948
ppc: 0.948
network: 0.945
socket: 0.939
arm: 0.936
performance: 0.933
debug: 0.933
user-level: 0.928
semantic: 0.919
files: 0.910
boot: 0.880
kernel: 0.851
x86: 0.823
i386: 0.817
libvirtd reload and hooks problem routed-net
if we do a reload of libvirt, some iptables rules, which are created through /etc/libvirt/hooks/qemu are not working anymore.
Every time a other (one or two,thee) vm is affected.
our qemu file:
#!/bin/bash
do_net() {
local status=$2
local ip=$3
local in=$4
local out=$5
if [[ ! $status || ! $ip || ! $in || ! $out ]]; then
echo "Not all parameters were passed!"
exit 1
fi
if [ "$status" = "stopped" -o "$status" = "reconnect" ]; then
ip route del $ip via 191.255.255.1 dev $out
ip neigh del proxy $ip dev $in
iptables -D FORWARD -i $in -o $out -s 0.0.0.0/0 -d $ip/32 -j ACCEPT
iptables -D FORWARD -i $out -o $in -s $ip/32 -d 0.0.0.0/0 -j ACCEPT
fi
if [ "$status" = "start" -o "$status" = "reconnect" ]; then
ip route add $ip via 191.255.255.1 dev $out
ip neigh add proxy $ip dev $in
iptables -I FORWARD 4 -i $in -o $out -s 0.0.0.0/0 -d $ip/32 -j ACCEPT
iptables -I FORWARD 4 -i $out -o $in -s $ip/32 -d 0.0.0.0/0 -j ACCEPT
fi
}
CONF=//etc/libvirt/hooks/vms/*
for file in $CONF
do
guest_ipaddr=""
guest_name=""
type=""
destination="0.0.0.0/0"
while read line; do
eval $line
done < $file
guest_ipaddrnet=$guest_ipaddr"/32"
for dest in ${destination}
do
if [ "${1}" = "${guest_name}" ]; then
echo "SRC-IP="$guest_ipaddr " " $guest_ipaddrnet " VM="$guest_name " Dest="$dest
if [ "${2}" = "stopped" ]; then
ip route del $guest_ipaddr via 191.255.255.1 dev virbr1
ip neigh del proxy $guest_ipaddr dev bond0
iptables -D FORWARD -i bond0 -o virbr1 -s $dest -d $guest_ipaddrnet -j ACCEPT
iptables -D FORWARD -i virbr1 -o bond0 -s $guest_ipaddrnet -d $dest -j ACCEPT
fi
if [ "${2}" = "start" ]; then
ip route add $guest_ipaddr via 191.255.255.1 dev virbr1
ip neigh add proxy $guest_ipaddr dev bond0
iptables -I FORWARD 4 -i bond0 -o virbr1 -s $dest -d $guest_ipaddrnet -j ACCEPT
iptables -I FORWARD 4 -i virbr1 -o bond0 -s $guest_ipaddrnet -d $dest -j ACCEPT
fi
if [ "${2}" = "reconnect" ]; then
ip route del $guest_ipaddr via 191.255.255.1 dev virbr1
ip neigh del proxy $guest_ipaddr dev bond0
iptables -D FORWARD -i bond0 -o virbr1 -s $dest -d $guest_ipaddrnet -j ACCEPT
iptables -D FORWARD -i virbr1 -o bond0 -s $guest_ipaddrnet -d $dest -j ACCEPT
sleep 1
ip route add $guest_ipaddr via 191.255.255.1 dev virbr1
ip neigh add proxy $guest_ipaddr dev bond0
iptables -I FORWARD 4 -i bond0 -o virbr1 -s $dest -d $guest_ipaddrnet -j ACCEPT
iptables -I FORWARD 4 -i virbr1 -o bond0 -s $guest_ipaddrnet -d $dest -j ACCEPT
fi
fi
done
done
On Mon, Dec 16, 2013 at 05:00:51PM -0000, Chris Weltzien wrote:
> if we do a reload of libvirt, some iptables rules, which are created through /etc/libvirt/hooks/qemu are not working anymore.
> Every time a other (one or two,thee) vm is affected.
Please report this to the libvirt project:
http://libvirt.org/bugs.html
Stefan
Hi,
we have a workaround for that. We´ve add sleep ${RANDOM:0:1}.${RANDOM:-1:1} between the IP Tables rules. The Problem is, that IP tables cannot execute twice or more times simultaneously.
Cheers Tim
Closing, since this is not a QEMU bug.
|