Guest unikernel on KVM can't reach host, but host can reach the guest

Question

I'm trying to make a rumpkernel (https://github.com/rumpkernel) run on KVM, connect to a socket on the host and send some data.

I am able to make the host access the guest using the nginx example here: https://github.com/rumpkernel/wiki/wiki/Tutorial%3A-Serve-a-static-website-as-a-Unikernel

Pretty much what I do is:

ip tuntap add tap0 mode tap
ip addr add 10.0.0.10/24 dev tap0
ip link set dev tap0 up 

Then launch rumprun with the parameters:

rumprun kvm -i -M 128 \
        -I if,vioif,'-net tap,script=no,ifname=tap0'\
        -W if,inet,static,10.0.0.11/24 \
        -b images/data.iso,/data \
        -- <my python script>

Where the python script opens a socket (0.0.0.0:2010) and listens. Then on the host I can do:

nc 10.0.0.11 2010

And I can see it connecting. The problem is that I can't do the other way around. Now I have the kvm guest opening a socket and trying to connect:

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:                                                                                       
   ip = "10.0.0.10"
   try:
       s.connect( (ip, 9999) )
       #send some data

And running the same script that does listen as before, binding on 10.0.0.10:9999. The guest just gets stuck on trying to connect and eventually times out.

I tried almost everything I could find online, ended up with a bridge with IP 10.0.0.10 and adding tap0 to it. Then I snooped br0 and got the following (removed some lines):

15:38:46.173914 ARP, Request who-has 10.0.0.11 tell 10.0.0.11, length 28
...
15:38:46.500262 ARP, Request who-has 10.0.0.10 tell 10.0.0.11, length 28
15:38:46.500288 ARP, Reply 10.0.0.10 is-at 0e:ec:XX:XX:XX:XX (oui Unknown), length 28
15:38:46.500440 IP 10.0.0.11.52886 > 10.0.0.10.9999: Flags [S], seq 20858086, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0

Which makes me think there is a route, but somehow the packet doesn't reach. I've tried disabling filtering within sys.d

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

And still nothing.

Any ideas on how to make this works? I don't want to bridge my eth0 because it's a remote server and the guest doesn't need outside connections at this moment.

Answer 1

Welp, been trying to solve this for a day and ofc after I post a question here I find the answer.

Hint was in this: Configure FirewallD to allow bridged virtual machine network access

I checked iptables and logs, and found this on /var/log/ufw.log

Dec  5 15:38:46 xxxx kernel: [516010.193395] [UFW BLOCK] IN=br0 OUT= MAC=... SRC=10.0.0.11 DST=10.0.0.10 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=

0 DF PROTO=TCP SPT=52886 DPT=9999 WINDOW=32768 RES=0x00 SYN URGP=0

Turns out there is a firewall running, and it was blocking the connection. I added a new rule as specified here: https://help.ubuntu.com/community/UFW and it's working now. Apparently.