[Pkg-libvirt-maintainers] Bug#636712: Bug#636712: libvirt-bin: cannot create rule since iptables tool is missing with custom nwfilters

Luca Capello luca at pca.it
Tue Aug 9 10:16:02 UTC 2011 

Hi there!

On Tue, 09 Aug 2011 00:44:47 +0200, Guido Günther wrote:
> On Fri, Aug 05, 2011 at 05:05:23PM +0200, Luca Capello wrote:
>> However, adding a simple filter like the following causes an error:
>> =====
>> # cat /etc/libvirt/nwfilter/allow-http.xml
>> <filter name='allow-http' chain='ipv4'>
>>   <rule action='accept' direction='in' >
>>     <tcp dstportstart='80' />
>>   </rule>
>> </filter>
>
> It works here with a very similar rule for ssh accept:
[...]
> Could you check /var/log/libvirt/libvirtd.log? If there's nothing
> interesting in there try running
>
> /etc/init.d/libvirt-bin stop
> LIBVIRT_DEBUG=1 libvirtd -v
>
> and attach the output to this bug please.

Output attached, also for /var/log/syslog (0.8.3-5+squeeze2, please tell
me if you want the one from 0.9.4~rc1-1).

After some debugging, I think the problem is the missing gawk, given
that in libvirt-0.9.3/src/nwfilter/nwfilter_ebiptables_driver.c we have:

--8<---------------cut here---------------start------------->8---
  3070      /* ip(6)tables support needs gawk & grep, ebtables doesn't */
  3071      if ((iptables_cmd_path != NULL || ip6tables_cmd_path != NULL) &&
  3072          (!grep_cmd_path || !gawk_cmd_path)) {
  3073          virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
  3074                                 _("essential tools to support ip(6)tables "
  3075                                   "firewalls could not be located"));
  3076          VIR_FREE(iptables_cmd_path);
  3077          VIR_FREE(ip6tables_cmd_path);
  3078      }
--8<---------------cut here---------------end--------------->8---

Obviously, the error above is useless, given that there is no indication
of *which* tool is missing.

FWIW, gawk is used in iptablesLinkIPTablesBaseChain() only (line 418 in
the above file).  However, no reason is available why GNU awk (and not
any awk like the Debian default mawk) is needed, not even in the commit:

  <http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=1130085cf075c044e4ad6cd811aa066549edcc2e>

I will try to check if with mawk everything works OK, but this means
that I need to find out the full gawk invocation and then also recompile
libvirt-bin for squeeze, not now ;-)

>> The first error is #592177 (with its clones #615907 and #626166), the
>> other errors about essential or iptables tools missing are still
>> puzzling my brain for an explication :-|
>
> #592177 should be fixed with 0.9.4~rc1. 0.9.4 is about to be uploaed to
> unstable pending a LFS fix.

Thank you, also for the squeeze-backports: I will move to them, thus
0.9.x, as soon as this bug will be solved.

Thx, bye,
Gismo / Luca

-------------- next part --------------
A non-text attachment was scrubbed...
Name: libvirtd_Debian-636712.log.gz
Type: application/octet-stream
Size: 28627 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20110809/feb3c8c9/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20110809/feb3c8c9/attachment-0001.pgp>

More information about the Pkg-libvirt-maintainers mailing list