Re: [libvirt] How to prevent libvirt from adding iptables rules?
(sorry, Daniel... I had only answered you instead of copying the list also)
Daniel P. Berrange escribió el 01/04/09 09:41:
On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
> At first I used the 'default' network (with a different rfc1918
> network)... everything was kinda working until I rebooted the host... at
> that point I lost connectivity between the outside world and the VMs.
> From inside the host I had no trouble connecting to the VMs.
>
> If I restarted shorewall (which actually cleans all iptables rules and
> regenerate them according to its configuration) everything works fine.
> After sending a report and some debugging in the shorewall mailing list,
> it was clear that libvirt was adding rules to iptables.
>
Yes, the libvirt virtual network capability adds iptables to control
traffic to/from the virtual network.
> After reading a bit
> (http://libvirt.org/formatnetwork.html#examplesPrivate) I created a new
> network called "isolated". I stopped default (and disabled its
> autostart), and defined and started isolated.
>
> This is the content of isolated.xml:
> <network>
> <name>isolated</name>
> <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid>
> <bridge name='virbr%d' stp='on' forwardDelay='0' />
> <ip address='10.3.14.1' netmask='255.255.255.0'>
> <dhcp>
> <range start='10.3.14.128' end='10.3.14.254' />
> </dhcp>
> </ip>
> </network>
>
> I modified my VMs to use isolated rather than default, but rules keep
> being added to iptables when libvirt-bin is started.
>
> Is there a way to convince libvirt not to add these rules?
>
No, libvirt needs to add the rules here because otherwise the guest
virtual network would not be guarenteed to be isolated from the host
network.
If this is a problem, then the best bet is to not use the virtual
network capability. Instead create a bridge device yourself using
distro network scripts, and do whatever routing/firewalling setup
you need for shorwall to work
Daniel
I see.. so I can't just ask libvirt to create the bridge for me and not
touch iptables rules... I chose "isolated" just hoping that would be
the way of preventing the addition of iptables rules...
The problem at this time is that, other than the rules I see libvirt
adds are conflicting with my rules (since they are inserted at the top
of INPUT and FORWARD before mine):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0> udp dpt:53
0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:53
0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0> udp dpt:67
0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:67
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all -- vnet0 vnet0 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0>
- 0 0 REJECT all -- * vnet0 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-port-unreachable
- 0 0 REJECT all -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-port-unreachable
Well... for the time being, I think I'll add a "shorewall restart" at
the end of rc.local which will kill these rules and leave only the ones
that shorewall generates...
--
Mariano Absatz - "El Baby"
el.baby(a)gmail.com
www.clueless.com.ar
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Light travels faster than sound. This is why some
people appear bright until you hear them speak.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org