[Bug 668043] Re: libvirt default network doesn't start, iptables errors, bad rules

Brian J. Murrell brian at interlinx.bc.ca
Fri Feb 4 12:48:40 UTC 2011 

On Thu, 2011-02-03 at 21:04 +0000, Serge Hallyn wrote: 
> (If it did in fact fail, then I'll revert the offending patch
> http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=fd5b15ff1a2ec37e75609c091522ae1e2c74c811
> as per http://bugs.gentoo.org/334921.

Please take note that the fix that I supplied does nothing about
addressing this issue because it should not be an issue.

First of all, the fix I supplied only deals with error:

libvirtError: internal error '/sbin/iptables --table filter --delete
INPUT --in-interface virbr0 --protocol udp --destination-port 69 --jump
ACCEPT' exited with non-zero status 1 and signal 0: iptables: Bad rule
(does a matching rule exist in that chain?).

This other error that Alle is getting:

error: internal error '/sbin/iptables --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' exited with non-zero status 2 and signal 0: iptables v1.4.4: unknown option `--checksum-fill'
Try `iptables -h' or 'iptables --help' for more information.

is not an actual error condition in the libvrit (0.8.3-1ubuntu14) that I
am looking at.  The only code that I can find that tries to add a
checksum rule for port 68 is in networkAddIptablesRules() in the file
src/network/bridge_driver.c:

    if ((network->def->ipAddress || network->def->nranges) &&
        (iptablesAddOutputFixUdpChecksum(driver->iptables,
                                         network->def->bridge, 68) != 0)) {
        VIR_WARN("Could not add rule to fixup DHCP response checksums "
                 "on network '%s'.", network->def->name);
        VIR_WARN0("May need to update iptables package & kernel to support CHECKSUM rule.");
    }

Note that failure of iptablesAddOutputFixUdpChecksum() only emits
warnings.

The actual error string that Alle is seeing comes from virRunWithHook()
which is called to through the following sequence of functions:

iptablesAddOutputFixUdpChecksum
iptablesOutputFixUdpChecksum
iptablesAddRemoveRule
virRun
virRunWithHook

which propagates an error back up the stack to networkAddIptablesRules()
but per the above code snippet, the error is discarded and a couple of
warning messages have been printed.

At this point, seeing as there are two different issues in this one
ticket, I would suggest that Alle open a new ticket covering the second
issue.

I suspect that Alle's network is failing to come up for a reason other
than the message he is seeing and the message that he sees just happens
to be the last message printed.  I have been fooled by libvirt's lack of
printing error messages and misunderstanding that the last message it
did print is not in fact what was causing the failure.

I would suggest that Alle runs libvirtd in the foreground with some
debug/verbosity perhaps to get to the real root of his problem.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/668043

Title:
  libvirt default network doesn't start, iptables errors, bad rules

More information about the Ubuntu-server-bugs mailing list