CentOS 7.2.1511 configuração do firewall libvirt

1

Eu tenho algumas configurações do CentOS7 nas quais eu uso o iptables para encaminhar as portas do host para os convidados. Recentemente, atualizei para o 7.2.1511 e parece que o libvirt insiste que o firewalld esteja ativo usando o comando iptables diretamente.

Abaixo está uma configuração XML da minha rede virtual VMmaint. <network connections='11'> <name>VMmaint</name> <uuid>2d218af6-b374-41b3-8a7e-2de7a02e62a9</uuid> <forward dev='em1' mode='nat'> <nat> <port start='1024' end='65535'/> </nat> <interface dev='em1'/> </forward> <bridge name='VMmaint' stp='on' delay='0'/> <mac address='52:54:00:ab:82:15'/> <ip address='192.168.100.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.100.10' end='192.168.100.254'/> <host mac='52:54:00:f7:df:11' ip='192.168.100.11'/> <host mac='52:54:00:f1:bb:18' ip='192.168.100.12'/> <host mac='52:54:00:cf:33:59' ip='192.168.100.13'/> <host mac='52:54:00:57:e2:6a' ip='192.168.100.14'/> <host mac='52:54:00:72:8e:ce' ip='192.168.100.15'/> <host mac='52:54:00:25:3e:34' ip='192.168.100.16'/> <host mac='52:54:00:8a:31:3e' ip='192.168.100.17'/> <host mac='52:54:00:dd:5f:dd' ip='192.168.100.18'/> <host mac='52:54:00:67:0b:fa' ip='192.168.100.19'/> <host mac='52:54:00:0d:37:bd' ip='192.168.100.20'/> <host mac='52:54:00:a5:7a:02' ip='192.168.100.21'/> <host mac='52:54:00:e2:8d:94' ip='192.168.100.22'/> <host mac='52:54:00:12:fb:15' ip='192.168.100.23'/> <host mac='52:54:00:01:cb:98' ip='192.168.100.24'/> <host mac='52:54:00:b0:d5:04' ip='192.168.100.25'/> <host mac='52:54:00:6c:bf:9e' ip='192.168.100.26'/> <host mac='52:54:00:d4:cc:5a' ip='192.168.100.27'/> <host mac='52:54:00:6e:1d:8d' ip='192.168.100.28'/> <host mac='52:54:00:aa:31:17' ip='192.168.100.29'/> <host mac='52:54:00:42:d8:e5' ip='192.168.100.30'/> <host mac='52:54:00:28:15:d5' ip='192.168.100.31'/> <host mac='52:54:00:99:56:a1' ip='192.168.100.32'/> <host mac='52:54:00:7a:e6:09' ip='192.168.100.33'/> <host mac='52:54:00:2a:fe:67' ip='192.168.100.34'/> <host mac='52:54:00:f1:95:37' ip='192.168.100.35'/> <host mac='52:54:00:a9:4f:92' ip='192.168.100.36'/> <host mac='52:54:00:ee:7d:40' ip='192.168.100.37'/> <host mac='52:54:00:51:40:33' ip='192.168.100.38'/> <host mac='52:54:00:b1:0c:6e' ip='192.168.100.39'/> <host mac='52:54:00:2f:9f:ad' ip='192.168.100.40'/> <host mac='52:54:00:c6:7e:1c' ip='192.168.100.41'/> <host mac='52:54:00:6f:96:82' ip='192.168.100.42'/> <host mac='52:54:00:e4:a8:b0' ip='192.168.100.43'/> <host mac='52:54:00:4f:c6:97' ip='192.168.100.44'/> <host mac='52:54:00:e2:1a:36' ip='192.168.100.45'/> <host mac='52:54:00:bd:59:03' ip='192.168.100.46'/> <host mac='52:54:00:f2:ca:f0' ip='192.168.100.47'/> <host mac='52:54:00:f4:35:85' ip='192.168.100.48'/> <host mac='52:54:00:c6:2f:84' ip='192.168.100.49'/> <host mac='52:54:00:e7:74:a4' ip='192.168.100.50'/> </dhcp> </ip> </network>

No entanto, assim que a rede está ativa, vejo o seguinte expelindo / var / log / firewalld

2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table mangle --delete POSTROUTING --out-interface VMmaint --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --destination 192.168.100.0/24 --in-interface em1 --out-interface VMmaint --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --source 192.168.100.0/24 --in-interface VMmaint --out-interface em1 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface VMmaint --out-interface VMmaint --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --out-interface VMmaint --jump REJECT' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface VMmaint --jump REJECT' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol udp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol tcp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-interface VMmaint --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol udp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

Parece que existem algumas configurações padrão em algum lugar no libvirtd que não estão interagindo bem com o firewalld. Eu gosto de aprender a maneira correta de configurar isso através do libvirt sem ter que executar nenhum script separadamente. morganyang1982

Posts: 2 Ingressou: 18/03/2016 13:50:52

    
por user2066671 22.03.2016 / 18:34

1 resposta

0

Pode haver um processo falso de firewalls envolvido, semelhante a este: erros de firewalld ao adicionar http

Tente parar o firewall, eliminando todos os processos restantes do firewalld e iniciando novamente.

systemctl stop firewalld
pkill -f firewalld
systemctl start firewalld

Em uma nota mais geral: é perfeitamente válido desativar o firewalld e rolar seu próprio firewall usando um script bash ou algo parecido com o shorewall.

    
por 23.03.2016 / 01:23