[fedora-virt] Libvirt integration with firewalld

[Dan Mossor]

Is there any work underway to get the libvirt firewall tools ported to 
firewalld? I've been seeing this since F21, but it seems to have gotten 
worse on F22. Every time I boot the system or restart firewalld.service, 
I get a lot of errors from the libvirt rules pumped into the journal. 
These errors imply that the firewall isn't really being configured 
properly for virtual machines on the host.

May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table mangle --delete 
POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 
--jump CHECKSUM --checksum-fill' failed: iptables: No chain/target/match 
by that name.
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete 
POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump 
RETURN' failed: iptables: Bad rule (does a matching rule exist in that 
chain?).
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete 
POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32 
--jump RETURN' failed: iptables: Bad rule (does a matching rule exist in 
that chain?).
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete 
POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination 
192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: 
iptables: No chain/target/match by that name.
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete 
POSTROUTING --source 192.168.122.0/24 -p udp ! --destination 
192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: 
iptables: No chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete 
POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24 
--jump MASQUERADE' failed: iptables: No chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match 
conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: 
Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' 
failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' 
failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
FORWARD --out-interface virbr0 --jump REJECT' failed: iptables: No 
chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
FORWARD --in-interface virbr0 --jump REJECT' failed: iptables: No 
chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump 
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that 
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump 
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that 
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 
--jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in 
that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump 
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that 
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39 
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete 
INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump 
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that 
chain?).
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=186
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=187
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=188
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=189
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=190
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=191
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=192
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=193
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=194
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter 
family=2 entries=195
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2 
entries=100
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2 
entries=101
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2 
entries=102
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2 
entries=103
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2 
entries=104
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=mangle 
family=2 entries=64
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-mac-broadcast' already exists with uuid 
a90d22ad-d651-4083-97b9-882f7e9e02c2
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'clean-traffic' already exists with uuid 
d448932f-37a3-4637-887b-6f06dd0f00b1
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'allow-dhcp' already exists with uuid 
1dba0fbf-31d6-4358-89c3-47dd080aac6f
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'allow-incoming-ipv4' already exists with uuid 
69065cb6-28c8-4003-a661-2f4ffe1134a4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-ip-spoofing' already exists with uuid 
2522180a-157e-453a-ab91-262c447f4259
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'allow-dhcp-server' already exists with uuid 
d8ea5311-ca8f-4b38-8526-de9dbacbc4f4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-ip-multicast' already exists with uuid 
a6d8e013-76f4-454a-b72a-d814055c0063
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-mac-spoofing' already exists with uuid 
cb7df7ac-b12e-49d3-b0fc-c801d3d87a4d
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-arp-ip-spoofing' already exists with uuid 
f96bf60d-f29a-41e5-a266-85610941fea9
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'allow-arp' already exists with uuid 
abaf1910-3d79-4610-a49e-188fe7750196
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-other-l2-traffic' already exists with uuid 
abc4f827-3683-48f7-ba2a-bb1c1be86d6b
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-other-rarp-traffic' already exists with uuid 
c428a138-4fc7-4d06-94fb-a838eaf8faa4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'qemu-announce-self-rarp' already exists with uuid 
392de4e1-d8ec-4b60-8c26-56c310994508
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'qemu-announce-self' already exists with uuid 
157f7aaf-7c75-458f-92a0-e4c4067d3383
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'allow-ipv4' already exists with uuid 
de9add69-c8af-444f-b9f2-d07d0791b4bc
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-arp-mac-spoofing' already exists with uuid 
44b534cf-d057-427c-a880-74524aa51338
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed: 
filter 'no-arp-spoofing' already exists with uuid 
c66f6c9d-6a35-4751-8c4e-a6c296ff2388


--
Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
_______________________________________________
virt mailing list
virt@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/virt