Hello,
Can you outline how your desired configuration for libvirt NAT mode is different from what libvirt already does ? The goal for this is to be totally zero-conf, so that fact that you can't use the default setup shows something is lacking in our impl & I'd prefer to identify what that is rather than blindly disabling it. In addition the libvirt rules are written to try & ensure that they only impact traffic to/from the subnet that is configured in the libvirt network, to avoid causing problems for other rules you might have already configured.
I opened a bug report[1] for this too, doing the right thing for out-of-the-box configuration is ok, but everything should be opt-out and manually configurable. I add sanity-check rules at top of my netfilter chains and when a libvirt network start it's not "protected" by theses rules. It's like my bug report on dnsmasq[2], I already have a complete DHCP/DNS-with-LDAP-backend configuration for the subnet, I don't need it but can not opt-out the feature. This disempower the user/administrator, which I think is bad. So, what I whould like to see: 1. Automatic configuration for out-of-the-box setup 2. Opt-out all the automatic configurations 3. Manually configurable, with pre-up(before), up(doing it), post-up(after) and their down counterparts. Please. Footnotes: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568790 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549183 -- Daniel Dehennin Récupérer ma clef GPG: gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1