#46632 – Отваливается сеть у виртуальных машин при изменении настроек через alterator-net-iptables

Bug 46632 - Отваливается сеть у виртуальных машин при изменении настроек через alterator-net-iptables

Summary: Отваливается сеть у виртуальных машин при изменении настроек через alterator-...

Status:	NEW

Alias:	None

Product:	Branch p10
Classification:	Unclassified
Component:	alterator-net-iptables (show other bugs)
Version:	не указана
Hardware:	x86_64 Linux

Importance:	P5 normal
Assignee:	Mikhail Efremov
QA Contact:	qa-p10@altlinux.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-06-22 21:39 MSK by igor
Modified:	2023-06-30 14:08 MSK (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description igor 2023-06-22 21:39:56 MSK

При применении изменённых значений через брандмауэр (alterator-net-iptables) отваливается сеть у виртуальных машин на базе qemu-kvm с задействованием libvird. Сеть в виртуальных машинах начинает работать вновь только после перезапуска службы libvirtd.
У хоста сеть работает нормально.

Дистрибутив:
NAME="starter kit"
VERSION="10"
ID=altlinux
VERSION_ID=10
PRETTY_NAME="ALT Starterkit 10 (Hypericum)"

---

rpm -q libvirt-daemon

libvirt-daemon-9.3.0-alt1.x86_64

---

rpm -q alterator-net-iptables

alterator-net-iptables-4.19.10-alt1.x86_64

---

Вывод из журнала в процессе применения настроек брандмауэра:
    systemd[1]: Stopping Network Connectivity...
    network[1725202]: Computing interface groups: . 1 interfaces found
    network[1725202]: Processing /etc/net/vlantab: empty.
    network[1725202]: Stopping group 0/virtual (1 interfaces)
    avahi-daemon[1617793]: Withdrawing address record for 127.0.0.1 on lo.
    avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
    avahi-daemon[1617793]: Interface lo.IPv4 no longer relevant for mDNS.
    avahi-daemon[1617793]: Interface lo.IPv6 no longer relevant for mDNS.
    avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv6 with address ::1.
    avahi-daemon[1617793]: Withdrawing address record for ::1 on lo.
    network[1725202]: Stopping lo:
    network[1725232]: ..
    network[1725202]: OK
    network[1725286]: Stopping iptables for default
    network[1725286]: Flushing the "OUTPUT" chain in the "filter" table
    network[1725286]: Flushing the "FORWARD" chain in the "filter" table
    network[1725286]: Flushing the "INPUT" chain in the "filter" table
    network[1725286]: Flushing the "POSTROUTING" chain in the "nat" table
    network[1725286]: Flushing the "OUTPUT" chain in the "nat" table
    network[1725286]: Flushing the "PREROUTING" chain in the "nat" table
    network[1725286]: Flushing the "POSTROUTING" chain in the "mangle" table
    network[1725286]: Flushing the "OUTPUT" chain in the "mangle" table
    network[1725286]: Flushing the "FORWARD" chain in the "mangle" table
    network[1725286]: Flushing the "INPUT" chain in the "mangle" table
    network[1725286]: Flushing the "PREROUTING" chain in the "mangle" table
    network[1725286]: Unloading module ip_conntrack_ftp
    network[1725286]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table
    network[1725286]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table
    network[1725286]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table
    network[1725286]: Stopping ip6tables for default
    network[1725286]: Flushing the "OUTPUT" chain in the "filter" table
    network[1725286]: Flushing the "FORWARD" chain in the "filter" table
    network[1725286]: Flushing the "INPUT" chain in the "filter" table
    network[1725286]: Flushing the "POSTROUTING" chain in the "mangle" table
    network[1725286]: Flushing the "OUTPUT" chain in the "mangle" table
    network[1725286]: Flushing the "FORWARD" chain in the "mangle" table
    network[1725286]: Flushing the "INPUT" chain in the "mangle" table
    network[1725286]: Flushing the "PREROUTING" chain in the "mangle" table
    network[1725286]: Unloading module ip_conntrack_ftp
    network[1725286]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table
    network[1725286]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table
    network[1725286]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table
    systemd[1]: network.service: Deactivated successfully.
    systemd[1]: Stopped Network Connectivity.
    systemd[1]: Starting Network Connectivity...
    network[1725451]: Starting ip6tables for default
    network[1725451]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table
    network[1725451]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table
    network[1725451]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table
    network[1725451]: Loading module ip_conntrack_ftp
    network[1725451]: Loading rules for the "PREROUTING" chain in the "mangle" table
    network[1725451]: Loading rules for the "INPUT" chain in the "mangle" table
    network[1725451]: Loading rules for the "FORWARD" chain in the "mangle" table
    network[1725451]: Loading rules for the "OUTPUT" chain in the "mangle" table
    network[1725451]: Loading rules for the "POSTROUTING" chain in the "mangle" table
    network[1725451]: Loading rules for the "INPUT" chain in the "filter" table....
    network[1725451]: Loading rules for the "FORWARD" chain in the "filter" table......
    network[1725451]: Loading rules for the "OUTPUT" chain in the "filter" table..
    network[1725451]: Starting iptables for default
    network[1725451]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table
    network[1725451]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table
    network[1725451]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table
    network[1725451]: Loading module ip_conntrack_ftp
    network[1725451]: Loading rules for the "PREROUTING" chain in the "mangle" table
    network[1725451]: Loading rules for the "INPUT" chain in the "mangle" table
    network[1725451]: Loading rules for the "FORWARD" chain in the "mangle" table
    network[1725451]: Loading rules for the "OUTPUT" chain in the "mangle" table
    network[1725451]: Loading rules for the "POSTROUTING" chain in the "mangle" table
    network[1725451]: Loading rules for the "PREROUTING" chain in the "nat" table
    network[1725451]: Loading rules for the "OUTPUT" chain in the "nat" table
    network[1725451]: Loading rules for the "POSTROUTING" chain in the "nat" table
    network[1725451]: Loading rules for the "INPUT" chain in the "filter" table.......
    network[1725451]: Loading rules for the "FORWARD" chain in the "filter" table.......
    network[1725451]: Loading rules for the "OUTPUT" chain in the "filter" table...
    network[1725434]: Computing interface groups: . 1 interfaces found
    network[1725434]: Starting group 0/virtual (1 interfaces)
    network[1725434]: Starting lo:
    avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
    network[1725919]: .
    avahi-daemon[1617793]: New relevant interface lo.IPv4 for mDNS.
    avahi-daemon[1617793]: Registering new address record for 127.0.0.1 on lo.IPv4.
    avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv6 with address ::1.
    avahi-daemon[1617793]: New relevant interface lo.IPv6 for mDNS.
    avahi-daemon[1617793]: Registering new address record for ::1 on lo.*.
    NetworkManager[3012]: <info> [1687458444.8239] device (lo): carrier: link connected
    avahi-daemon[1617793]: Withdrawing address record for 127.0.0.1 on lo.
    avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
    avahi-daemon[1617793]: Interface lo.IPv4 no longer relevant for mDNS.
    network[1725931]: .
    avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
    network[1725934]: .
    avahi-daemon[1617793]: New relevant interface lo.IPv4 for mDNS.
    avahi-daemon[1617793]: Registering new address record for 127.0.0.1 on lo.IPv4.
    network[1725942]: .
    network[1725434]: OK
    network[1725434]: Processing /etc/net/vlantab: empty.
    systemd[1]: Started Network Connectivity

Comment 1 Evgeny Shesteperov 2023-06-30 14:08:24 MSK

Пакет:

- alterator-net-iptables-4.19.10-alt1

Стенд:

- ALT Workstation 10.1 с обновлением до текущего P10

Шаги:

1. Выполнить первоначальную настройку:

# apt-get install -y alterator-net-iptables virt-manager qemu libvirt libvirt-daemon-driver-storage-disk
# systemctl enable --now libvirtd && sleep 5; systemctl status libvirtd --no-pager -l
# gpasswd -a test vmusers

2. Скачать любой образ (в моём случае ALT Workstation 10.1).

3. Включить сеть: Вкладка Виртуальные сети -> выбрать default -> нажать
треугольник (запустить) -> включить чекбокс Автозапуск: при загрузке
-> Применить

4. Создать виртуальную машину.

5. Проверить сеть в виртуальной машине (ping ya.ru, страница в
браузере) и командой:

# virsh net-list --all
Имя Состояние Автозапуск Постоянный
------------------------------------------------
default активен yes yes

6. Запустить Центр управления системой → включить режим эксперта →
Брандмауэр → Перенаправление портов

7. Добавить правило:

- Протокол: TCP
- IP адрес: порт: 777
- перенаправлять на IP адрес: <текущий_ip> порт: 80

нажать Добавить

8. Включить чекбокс Включить перенаправление портов
9. Проверить сеть командой:

# virsh net-list --all
Имя Состояние Автозапуск Постоянный
------------------------------------------------
default активен yes yes

10. Проверить сеть в виртуальной машине:

$ ping -с 3 ya.ru
$ xbrowser google.com

Ожидаемый результат: присутствует сетевое соединение.

Фактический результат: отсутствует сетевое соединение.

Дополнительно 1: выполнение команды # systemctl restart libvirtd
действительно решает проблему с сетевым соединением.

Дополнительно 2: если сначала выполнять пинг (ping ya.ru), после чего
нажать чекбокс Включить перенаправление портов, то пинг продолжится, но
повторный пинг уже не выполняется.

В Sisyphus не проверялось.