Re: [libvirt] How to prevent libvirt from adding iptables rules?
On Thu, Apr 02, 2009 at 10:16:13AM +0200, Ludwig Nussel wrote:
Daniel P. Berrange wrote:
> On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
> > [...]
> > I modified my VMs to use isolated rather than default, but rules keep
> > being added to iptables when libvirt-bin is started.
> >
> > Is there a way to convince libvirt not to add these rules?
>
> No, libvirt needs to add the rules here because otherwise the guest
> virtual network would not be guarenteed to be isolated from the host
> network.
Messing with iptables rules isn't guaranteed to work either. Esp if the
existing firewall is re-run. SuSEfirewall2 for example runs when
interfaces come or go so it will kill any rules that someone added
behind it's back.
We have a similar issue with the Fedora equivalent of SuSSfirewall, and
it provides a mechanism for us to register the set of rules we want, so
when it is re-run, it re-adds our rules.
As a failsafe, sending SIGHUP to libvirtd will make it re-add its rules
so if there's some post-config hook for SuSEfirewall, it could be made
to SIGHUP the libvirtd daemon.
What kind of iptables rules do you need to install?
It depends on the particular config, but it is adding sets of rules
against the IP range & bridge device config for the interface we add
to allow / disallow forwarding of traffic.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|