Issue about use DefaultSharedNetworkOffering in BasicNetworkZone with KVM

曹伟 Tue, 15 May 2012 06:13:59 -0700

Dear all,


I don’t want to use Security Group to isolate VMs so I create a
BasicNetwork Zone with network offering “DefaultSharedNetworkOffering”.

But when I added host to the zone and created VM on it , the KVM host still
startup iptables rules( I think the KVM host use iptables rules to achieve
security group function) and isolate the VM's network traffic, it’s useless
even I stop iptalbes service. 

And because I use DefaultSharedNetworkOffering, so there is no place to
modify the ingress rules.

 

I want to know what is the reason?

 

Below is the iptables status of the KVM host, you can see that it drop all
traffic to i-2-3-VM( the red lines) :

 

Table: mangle

Chain PREROUTING (policy ACCEPT)

num target prot opt source destination 

 

Chain INPUT (policy ACCEPT)

num target prot opt source destination 

 

Chain FORWARD (policy ACCEPT)

num target prot opt source destination 

 

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination 

 

Chain POSTROUTING (policy ACCEPT)

num target prot opt source destination 

1 CHECKSUM udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill 

 

Table: nat

Chain PREROUTING (policy ACCEPT)

num target prot opt source destination 

 

Chain POSTROUTING (policy ACCEPT)

num target prot opt source destination 

 

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination 

 

Table: filter

Chain INPUT (policy ACCEPT)

num target prot opt source destination 

1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:49152:49216 

2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:6100 

3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:16509 

4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 

 

Chain FORWARD (policy ACCEPT)

num target prot opt source destination 

1 BF-cloudbr0 all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged 

2 BF-cloudbr0 all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged 

3 DROP all -- 0.0.0.0/0 0.0.0.0/0 

4 DROP all -- 0.0.0.0/0 0.0.0.0/0 

 

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination 

 

Chain BF-cloudbr0 (2 references)

num target prot opt source destination 

1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 

2 BF-cloudbr0-IN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-in
--physdev-is-bridged 

3 BF-cloudbr0-OUT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-out
--physdev-is-bridged 

4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out p2p2
--physdev-is-bridged 

 

Chain BF-cloudbr0-IN (1 references)

num target prot opt source destination 

1 s-1-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0
--physdev-is-bridged 

2 s-1-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet1
--physdev-is-bridged 

3 s-1-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet2
--physdev-is-bridged 

4 s-1-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet3
--physdev-is-bridged 

5 v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet4
--physdev-is-bridged 

6 v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet5
--physdev-is-bridged 

7 v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6
--physdev-is-bridged 

8 r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet7
--physdev-is-bridged 

9 r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet8
--physdev-is-bridged 

10 i-2-3-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet9
--physdev-is-bridged 

 

Chain BF-cloudbr0-OUT (1 references)

num target prot opt source destination 

1 s-1-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet0
--physdev-is-bridged 

2 s-1-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet1
--physdev-is-bridged 

3 s-1-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet2
--physdev-is-bridged 

4 s-1-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet3
--physdev-is-bridged 

5 v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet4
--physdev-is-bridged 

6 v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet5
--physdev-is-bridged 

7 v-2-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6
--physdev-is-bridged 

8 r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet7
--physdev-is-bridged 

9 r-4-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet8
--physdev-is-bridged 

10 i-2-3-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet9
--physdev-is-bridged 

 

Chain i-2-3-VM (1 references)

num target prot opt source destination 

1 DROP all -- 0.0.0.0/0 0.0.0.0/0 

 

Chain i-2-3-VM-eg (1 references)

num target prot opt source destination 

 

Chain i-2-3-def (2 references)

num target prot opt source destination 

1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 

2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet9
--physdev-is-bridged udp spt:68 dpt:67 

3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet9
--physdev-is-bridged udp spt:67 dpt:68 

4 RETURN udp -- 10.6.159.202 0.0.0.0/0 PHYSDEV match --physdev-in vnet9
--physdev-is-bridged udp dpt:53 

5 i-2-3-VM-eg all -- 10.6.159.202 0.0.0.0/0 PHYSDEV match --physdev-in vnet9
--physdev-is-bridged 

6 i-2-3-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet9
--physdev-is-bridged

 

Chain r-4-VM (4 references)

num target prot opt source destination 

1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet7
--physdev-is-bridged 

2 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet8
--physdev-is-bridged 

3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 

 

Chain s-1-VM (8 references)

num target prot opt source destination 

1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0
--physdev-is-bridged 

2 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet1
--physdev-is-bridged 

3 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet2
--physdev-is-bridged 

4 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet3
--physdev-is-bridged 

5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 

 

Chain v-2-VM (6 references)

num target prot opt source destination 

1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet4
--physdev-is-bridged 

2 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet5
--physdev-is-bridged 

3 RETURN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6
--physdev-is-bridged 

4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

 

 

Regards.

 

 

Cao Wei | Senior Technical Consultant | Travelsky | Cell: +86 10 13552493131
| Address: 157 Dongsi West Street, Dongcheng District, Beijing, China
（100010）

Issue about use DefaultSharedNetworkOffering in BasicNetworkZone with KVM

Reply via email to