Arch Linux では、VM が仮想ネットワークを使用すると、ゲスト VM は接続されなくなります。この問題は、システム構成やKVM / QEMU構成の変更なしで機能したため、ほとんど突然現れました。
明確に申し上げると、私はゲストとのコミュニケーションもできません。ホストとゲストの間で通信できません。
似たような投稿を見つけましたが、それらのどれも私が経験していた問題を解決できませんでした。
virsh net-dumpxml デフォルト
<network>
<name>default</name>
<uuid>redacted</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:aa:32:1d'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
virshネットワークリスト - すべて
Name State Autostart Persistent
--------------------------------------------
default active yes yes
マンジャロゲスト内部:
IPワン
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROAD_CAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:e5:a3:92 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fa0d:bd72:fdba:57c2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
ホストに戻る:
Journalctl -b -u libvirtd.service --no-pager
注:ホスト名を削除しました。
Apr 18 05:32:37 hostname systemd[1]: Starting Virtualization daemon...
Apr 18 05:32:37 hostname systemd[1]: Started Virtualization daemon.
Apr 18 05:32:38 hostname dnsmasq[726]: started, version 2.89 cachesize 150
Apr 18 05:32:38 hostname dnsmasq[726]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
Apr 18 05:32:38 hostname dnsmasq-dhcp[726]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Apr 18 05:32:38 hostname dnsmasq-dhcp[726]: DHCP, sockets bound exclusively to interface virbr0
Apr 18 05:32:38 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 05:32:38 hostname dnsmasq[726]: using nameserver 68.105.28.11#53
Apr 18 05:32:38 hostname dnsmasq[726]: using nameserver 68.105.29.11#53
Apr 18 05:32:38 hostname dnsmasq[726]: using nameserver 68.105.28.12#53
Apr 18 05:32:38 hostname dnsmasq[726]: read /etc/hosts - 0 names
Apr 18 05:32:38 hostname dnsmasq[726]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names
Apr 18 05:32:38 hostname dnsmasq-dhcp[726]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Apr 18 05:32:41 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 05:32:41 hostname dnsmasq[726]: using nameserver 68.105.28.11#53
Apr 18 05:32:41 hostname dnsmasq[726]: using nameserver 68.105.29.11#53
Apr 18 05:32:41 hostname dnsmasq[726]: using nameserver 68.105.28.12#53
Apr 18 05:32:43 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 05:32:43 hostname dnsmasq[726]: using nameserver 100.100.100.100#53
Apr 18 05:32:43 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 05:32:43 hostname dnsmasq[726]: using nameserver 100.100.100.100#53
Apr 18 09:33:08 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 09:33:08 hostname dnsmasq[726]: using nameserver 100.100.100.100#53
Apr 18 09:34:37 hostname systemd[1]: libvirtd.service: Deactivated successfully.
Apr 18 09:34:37 hostname systemd[1]: libvirtd.service: Unit process 726 (dnsmasq) remains running after unit stopped.
Apr 18 09:34:37 hostname systemd[1]: libvirtd.service: Unit process 727 (dnsmasq) remains running after unit stopped.
Apr 18 18:35:25 hostname systemd[1]: libvirtd.service: Found left-over process 726 (dnsmasq) in control group while starting unit. Ignoring.
Apr 18 18:35:25 hostname systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Apr 18 18:35:25 hostname systemd[1]: libvirtd.service: Found left-over process 727 (dnsmasq) in control group while starting unit. Ignoring.
Apr 18 18:35:25 hostname systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Apr 18 18:35:25 hostname systemd[1]: Starting Virtualization daemon...
Apr 18 18:35:25 hostname systemd[1]: Started Virtualization daemon.
Apr 18 18:35:26 hostname dnsmasq[726]: read /etc/hosts - 0 names
Apr 18 18:35:26 hostname dnsmasq[726]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names
Apr 18 18:35:26 hostname dnsmasq-dhcp[726]: read /var/lib/libvirt/dnsmasq/default.hostsfile
IPワン
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 04:42:1a:f0:5e:22 brd ff:ff:ff:ff:ff:ff
inet 192.168.68.116/24 brd 192.168.68.255 scope global dynamic noprefixroute enp7s0
valid_lft 6595sec preferred_lft 6595sec
inet6 fe80::4da9:ee46:ca10:5ccf/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlp6s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether fe:32:0e:58:03:f0 brd ff:ff:ff:ff:ff:ff permaddr 1c:99:57:a4:c3:b5
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:aa:32:1d brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 100.92.168.67/32 scope global tailscale0
valid_lft forever preferred_lft forever
inet6 fd7a:115c:a1e0:ab12:4843:cd96:625c:a843/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::1e59:5071:1cf9:298f/64 scope link stable-privacy
valid_lft forever preferred_lft forever
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:46:7a:60:f7 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
iptables - 保存
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Apr 19 08:15:48 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Apr 19 08:15:48 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Apr 19 08:15:48 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:ts-forward - [0:0]
:ts-input - [0:0]
-A INPUT -j ts-input
-A INPUT -j LIBVIRT_INP
-A FORWARD -j ts-forward
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
-A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
-A ts-forward -o tailscale0 -j ACCEPT
-A ts-input -s 100.92.168.67/32 -i lo -j ACCEPT
-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
-A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
COMMIT
# Completed on Wed Apr 19 08:15:48 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Apr 19 08:15:48 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:LIBVIRT_PRT - [0:0]
:ts-postrouting - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -j ts-postrouting
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A DOCKER -i docker0 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A ts-postrouting -m mark --mark 0x40000/0xff0000 -j MASQUERADE
COMMIT
# Completed on Wed Apr 19 08:15:48 2023
NFTリストルールセット
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iifname "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport 22 accept comment "allow sshd"
meta pkttype host limit rate 5/second counter packets 10 bytes 4387 reject with icmpx admin-prohibited
counter packets 134 bytes 101906
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain LIBVIRT_INP {
iifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
iifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
iifname "virbr0" udp dport 67 counter packets 0 bytes 0 accept
iifname "virbr0" tcp dport 67 counter packets 0 bytes 0 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 5223 bytes 29062872 jump ts-input
counter packets 5311 bytes 29090912 jump LIBVIRT_INP
}
chain LIBVIRT_OUT {
oifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
oifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
oifname "virbr0" udp dport 68 counter packets 0 bytes 0 accept
oifname "virbr0" tcp dport 68 counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 5065 bytes 478957 jump LIBVIRT_OUT
}
chain LIBVIRT_FWO {
iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept
iifname "virbr0" counter packets 0 bytes 0 xt target "REJECT"
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump ts-forward
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump LIBVIRT_FWX
counter packets 0 bytes 0 jump LIBVIRT_FWI
counter packets 0 bytes 0 jump LIBVIRT_FWO
}
chain LIBVIRT_FWI {
oifname "virbr0" ip daddr 192.168.122.0/24 xt match "conntrack" counter packets 0 bytes 0 accept
oifname "virbr0" counter packets 0 bytes 0 xt target "REJECT"
}
chain LIBVIRT_FWX {
iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
chain ts-input {
iifname "lo" ip saddr 100.92.168.67 counter packets 0 bytes 0 accept
iifname != "tailscale0" ip saddr 100.115.92.0/23 counter packets 0 bytes 0 return
iifname != "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
}
chain ts-forward {
iifname "tailscale0" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
oifname "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
oifname "tailscale0" counter packets 0 bytes 0 accept
}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain LIBVIRT_PRT {
ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 1 bytes 40 return
ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 421 bytes 28614 jump ts-postrouting
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 xt target "MASQUERADE"
counter packets 465 bytes 31643 jump LIBVIRT_PRT
}
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
xt match "addrtype" counter packets 12 bytes 4499 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 0 bytes 0 jump DOCKER
}
chain ts-postrouting {
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 xt target "MASQUERADE"
}
}
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
chain LIBVIRT_PRT {
oifname "virbr0" udp dport 68 counter packets 0 bytes 0 xt target "CHECKSUM"
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 5065 bytes 478957 jump LIBVIRT_PRT
}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
chain LIBVIRT_INP {
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 29 bytes 2072 jump ts-input
counter packets 31 bytes 2340 jump LIBVIRT_INP
}
chain LIBVIRT_OUT {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 102 bytes 8442 jump LIBVIRT_OUT
}
chain LIBVIRT_FWO {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump ts-forward
counter packets 0 bytes 0 jump LIBVIRT_FWX
counter packets 0 bytes 0 jump LIBVIRT_FWI
counter packets 0 bytes 0 jump LIBVIRT_FWO
}
chain LIBVIRT_FWI {
}
chain LIBVIRT_FWX {
}
chain ts-input {
iifname "lo" ip6 saddr fd7a:115c:a1e0:ab12:4843:cd96:625c:a843 counter packets 0 bytes 0 accept
}
chain ts-forward {
iifname "tailscale0" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
oifname "tailscale0" counter packets 0 bytes 0 accept
}
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
chain LIBVIRT_PRT {
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 24 bytes 2334 jump ts-postrouting
counter packets 25 bytes 2444 jump LIBVIRT_PRT
}
chain ts-postrouting {
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 xt target "MASQUERADE"
}
}
table ip6 mangle {
chain LIBVIRT_PRT {
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 102 bytes 8442 jump LIBVIRT_PRT
}
}