On Thu, Apr 22, 2010 at 1:35 PM, Justin M. Forbes <[email protected]> wrote: > On Thu, 2010-04-22 at 13:14 +0100, Adam Huffman wrote: >> On Thu, Apr 22, 2010 at 12:41 PM, Dor Laor <[email protected]> wrote: >> > On 04/22/2010 12:45 PM, Adam Huffman wrote: >> >> >> >> On Thu, Apr 1, 2010 at 10:18 AM, Dor Laor<[email protected]> wrote: >> >>> >> >>> On 03/31/2010 07:06 PM, Adam Huffman wrote: >> >>>> >> >>>> On Wed, Mar 31, 2010 at 11:31 AM, Tom Horsley<[email protected]> >> >>>> wrote: >> >>>>> >> >>>>> On Wed, 31 Mar 2010 10:02:17 +0000 >> >>>>> Adam Huffman wrote: >> >>>>> >> >>>>>> Is there a way of turning on extra logging to try and see what is (or >> >>>>>> isn't) happening? >> >>> >> >>> What's the nice type used? rtl/e1000/virtio (driver ver?)? >> >>> >> >> >> >> It's using the default - Realtek. >> >> >> >>>>> >> >>>>> I had similar stuff happen to machines I run due to the hopeless >> >>>>> timekeeping in virtual machines. The clock gets so far off in >> >>>>> the guest that it doesn't bother to renew the lease at what >> >>>>> the host thinks is the scheduled time (or vice-veras, I forget >> >>>>> which way the time was drifting). >> >>> >> >>> What's the guest? For winXp you should use the -rtc driftfix=slew >> >>> >> >> >> >> It is XP, though I'm not sure this is the cause - the clock time isn't >> >> skewed too badly. >> >> >> >> It appears to be related to iptables. If I add some rules to permit >> >> access to Samba on the host, the guest networking fails. Is there an >> >> "approved" way of permitting such Samba access? >> > >> > How do you do it? There is no reason for it to fail >> > >> This is what I tried: >> >> # Second attempt at local VM Samba access >> #-A INPUT -s 192.168.122.0/24 -p tcp -m tcp --dport 445 -j ACCEPT >> #-A INPUT -s 192.168.122.0/24 -i vnet0 -p udp -m udp --dport 137:139 -j >> ACCEPT >> #-A INPUT -s 192.168.122.0/24 -i vnet0 -p tcp -m tcp --dport 137:139 -j >> ACCEPT >> >> When I uncommented and applied them, the guest lost its IP address. >> Happy to try other suggestions... > > libvirt has no sane was of integrating with iptables > > We previously tried using lokkit, but if the user had configured > iptables manually (i.e. without lokkit) we'd end up clobbering their > rules > > We simply need a way to say to iptables "we've added these rules, please > load them when you restart" without overwriting the current > configuration. We also need lokkit/system-config-firewall to not > overwrite these rules when the user modifies the configuration > > The whole sorry saga is well documented in bug #227011: > https://bugzilla.redhat.com/show_bug.cgi?id=227011 > > Justin >
In the meantime, any guidance on how I can do this manually would be greatly appreciated... Adam _______________________________________________ virt mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/virt
