46632 2023-06-22 21:39:56 +0300 Отваливается сеть у виртуальных машин при изменении настроек через alterator-net-iptables 2023-06-30 14:08:24 +0300 1 1 1 Unclassified Branch p10 alterator-net-iptables не указана x86_64 Linux NEW P5 normal --- 1 igor.bz sem alimektor qa-p10 oldest_to_newest 228248 0 igor.bz 2023-06-22 21:39:56 +0300 При применении изменённых значений через брандмауэр (alterator-net-iptables) отваливается сеть у виртуальных машин на базе qemu-kvm с задействованием libvird. Сеть в виртуальных машинах начинает работать вновь только после перезапуска службы libvirtd. У хоста сеть работает нормально. Дистрибутив: NAME="starter kit" VERSION="10" ID=altlinux VERSION_ID=10 PRETTY_NAME="ALT Starterkit 10 (Hypericum)" --- rpm -q libvirt-daemon libvirt-daemon-9.3.0-alt1.x86_64 --- rpm -q alterator-net-iptables alterator-net-iptables-4.19.10-alt1.x86_64 --- Вывод из журнала в процессе применения настроек брандмауэра: systemd[1]: Stopping Network Connectivity... network[1725202]: Computing interface groups: . 1 interfaces found network[1725202]: Processing /etc/net/vlantab: empty. network[1725202]: Stopping group 0/virtual (1 interfaces) avahi-daemon[1617793]: Withdrawing address record for 127.0.0.1 on lo. avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. avahi-daemon[1617793]: Interface lo.IPv4 no longer relevant for mDNS. avahi-daemon[1617793]: Interface lo.IPv6 no longer relevant for mDNS. avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv6 with address ::1. avahi-daemon[1617793]: Withdrawing address record for ::1 on lo. network[1725202]: Stopping lo: network[1725232]: .. network[1725202]: OK network[1725286]: Stopping iptables for default network[1725286]: Flushing the "OUTPUT" chain in the "filter" table network[1725286]: Flushing the "FORWARD" chain in the "filter" table network[1725286]: Flushing the "INPUT" chain in the "filter" table network[1725286]: Flushing the "POSTROUTING" chain in the "nat" table network[1725286]: Flushing the "OUTPUT" chain in the "nat" table network[1725286]: Flushing the "PREROUTING" chain in the "nat" table network[1725286]: Flushing the "POSTROUTING" chain in the "mangle" table network[1725286]: Flushing the "OUTPUT" chain in the "mangle" table network[1725286]: Flushing the "FORWARD" chain in the "mangle" table network[1725286]: Flushing the "INPUT" chain in the "mangle" table network[1725286]: Flushing the "PREROUTING" chain in the "mangle" table network[1725286]: Unloading module ip_conntrack_ftp network[1725286]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table network[1725286]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table network[1725286]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table network[1725286]: Stopping ip6tables for default network[1725286]: Flushing the "OUTPUT" chain in the "filter" table network[1725286]: Flushing the "FORWARD" chain in the "filter" table network[1725286]: Flushing the "INPUT" chain in the "filter" table network[1725286]: Flushing the "POSTROUTING" chain in the "mangle" table network[1725286]: Flushing the "OUTPUT" chain in the "mangle" table network[1725286]: Flushing the "FORWARD" chain in the "mangle" table network[1725286]: Flushing the "INPUT" chain in the "mangle" table network[1725286]: Flushing the "PREROUTING" chain in the "mangle" table network[1725286]: Unloading module ip_conntrack_ftp network[1725286]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table network[1725286]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table network[1725286]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table systemd[1]: network.service: Deactivated successfully. systemd[1]: Stopped Network Connectivity. systemd[1]: Starting Network Connectivity... network[1725451]: Starting ip6tables for default network[1725451]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table network[1725451]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table network[1725451]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table network[1725451]: Loading module ip_conntrack_ftp network[1725451]: Loading rules for the "PREROUTING" chain in the "mangle" table network[1725451]: Loading rules for the "INPUT" chain in the "mangle" table network[1725451]: Loading rules for the "FORWARD" chain in the "mangle" table network[1725451]: Loading rules for the "OUTPUT" chain in the "mangle" table network[1725451]: Loading rules for the "POSTROUTING" chain in the "mangle" table network[1725451]: Loading rules for the "INPUT" chain in the "filter" table.... network[1725451]: Loading rules for the "FORWARD" chain in the "filter" table...... network[1725451]: Loading rules for the "OUTPUT" chain in the "filter" table.. network[1725451]: Starting iptables for default network[1725451]: Setting ACCEPT policy for the "INPUT" chain in the "filter" table network[1725451]: Setting ACCEPT policy for the "FORWARD" chain in the "filter" table network[1725451]: Setting ACCEPT policy for the "OUTPUT" chain in the "filter" table network[1725451]: Loading module ip_conntrack_ftp network[1725451]: Loading rules for the "PREROUTING" chain in the "mangle" table network[1725451]: Loading rules for the "INPUT" chain in the "mangle" table network[1725451]: Loading rules for the "FORWARD" chain in the "mangle" table network[1725451]: Loading rules for the "OUTPUT" chain in the "mangle" table network[1725451]: Loading rules for the "POSTROUTING" chain in the "mangle" table network[1725451]: Loading rules for the "PREROUTING" chain in the "nat" table network[1725451]: Loading rules for the "OUTPUT" chain in the "nat" table network[1725451]: Loading rules for the "POSTROUTING" chain in the "nat" table network[1725451]: Loading rules for the "INPUT" chain in the "filter" table....... network[1725451]: Loading rules for the "FORWARD" chain in the "filter" table....... network[1725451]: Loading rules for the "OUTPUT" chain in the "filter" table... network[1725434]: Computing interface groups: . 1 interfaces found network[1725434]: Starting group 0/virtual (1 interfaces) network[1725434]: Starting lo: avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. network[1725919]: . avahi-daemon[1617793]: New relevant interface lo.IPv4 for mDNS. avahi-daemon[1617793]: Registering new address record for 127.0.0.1 on lo.IPv4. avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv6 with address ::1. avahi-daemon[1617793]: New relevant interface lo.IPv6 for mDNS. avahi-daemon[1617793]: Registering new address record for ::1 on lo.*. NetworkManager[3012]: <info> [1687458444.8239] device (lo): carrier: link connected avahi-daemon[1617793]: Withdrawing address record for 127.0.0.1 on lo. avahi-daemon[1617793]: Leaving mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. avahi-daemon[1617793]: Interface lo.IPv4 no longer relevant for mDNS. network[1725931]: . avahi-daemon[1617793]: Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1. network[1725934]: . avahi-daemon[1617793]: New relevant interface lo.IPv4 for mDNS. avahi-daemon[1617793]: Registering new address record for 127.0.0.1 on lo.IPv4. network[1725942]: . network[1725434]: OK network[1725434]: Processing /etc/net/vlantab: empty. systemd[1]: Started Network Connectivity 228652 1 alimektor 2023-06-30 14:08:24 +0300 Пакет: - alterator-net-iptables-4.19.10-alt1 Стенд: - ALT Workstation 10.1 с обновлением до текущего P10 Шаги: 1. Выполнить первоначальную настройку: # apt-get install -y alterator-net-iptables virt-manager qemu libvirt libvirt-daemon-driver-storage-disk # systemctl enable --now libvirtd && sleep 5; systemctl status libvirtd --no-pager -l # gpasswd -a test vmusers 2. Скачать любой образ (в моём случае ALT Workstation 10.1). 3. Включить сеть: Вкладка Виртуальные сети -> выбрать default -> нажать треугольник (запустить) -> включить чекбокс Автозапуск: при загрузке -> Применить 4. Создать виртуальную машину. 5. Проверить сеть в виртуальной машине (ping ya.ru, страница в браузере) и командой: # virsh net-list --all Имя Состояние Автозапуск Постоянный ------------------------------------------------ default активен yes yes 6. Запустить Центр управления системой → включить режим эксперта → Брандмауэр → Перенаправление портов 7. Добавить правило: - Протокол: TCP - IP адрес: порт: 777 - перенаправлять на IP адрес: <текущий_ip> порт: 80 нажать Добавить 8. Включить чекбокс Включить перенаправление портов 9. Проверить сеть командой: # virsh net-list --all Имя Состояние Автозапуск Постоянный ------------------------------------------------ default активен yes yes 10. Проверить сеть в виртуальной машине: $ ping -с 3 ya.ru $ xbrowser google.com Ожидаемый результат: присутствует сетевое соединение. Фактический результат: отсутствует сетевое соединение. Дополнительно 1: выполнение команды # systemctl restart libvirtd действительно решает проблему с сетевым соединением. Дополнительно 2: если сначала выполнять пинг (ping ya.ru), после чего нажать чекбокс Включить перенаправление портов, то пинг продолжится, но повторный пинг уже не выполняется. В Sisyphus не проверялось.