Hello,
Can you outline how your desired configuration for libvirt NAT mode
is
different from what libvirt already does ? The goal for this is to be
totally zero-conf, so that fact that you can't use the default setup
shows something is lacking in our impl & I'd prefer to identify what
that is rather than blindly disabling it. In addition the libvirt
rules are written to try & ensure that they only impact traffic
to/from the subnet that is configured in the libvirt network, to avoid
causing problems for other rules you might have already configured.
I opened a bug report[1] for this too, doing the right thing for
out-of-the-box configuration is ok, but everything should be opt-out and
manually configurable.
I add sanity-check rules at top of my netfilter chains and when a
libvirt network start it's not "protected" by theses rules.
It's like my bug report on dnsmasq[2], I already have a complete
DHCP/DNS-with-LDAP-backend configuration for the subnet, I don't need it
but can not opt-out the feature.
This disempower the user/administrator, which I think is bad.
So, what I whould like to see:
1. Automatic configuration for out-of-the-box setup
2. Opt-out all the automatic configurations
3. Manually configurable, with pre-up(before), up(doing it),
post-up(after) and their down counterparts.
Please.
Footnotes:
[1]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568790
[2]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549183
--
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver
pgp.mit.edu --recv-keys 0x6A2540D1