Re: [libvirt] Don't add iptables rules when creating networks
Am 21.12.2009 16:00, schrieb Daniel P. Berrange:
> My issues:
> 1) INPUT chain ACCEPTs DNS/dhcp from outside
>
> You might notice that the INPUT chain basically says that I ACCEPT all
> DNS/dhcp from all interfaces. I don't want that. As soon as I configure a
> packet filter (e.g. shorewall), libvirt's configuration will take
> precedence.
No it doesn't say that. You are missing the '-v' flag to list the rules.
If you add that you'll see that the rules are *different* and they all
explicitly include the name of the bridge interface associated with the
libvirt network
You're right - actually I did not check closely enough. Sorry for that.
I agree that corporate policy/compliance issues are probably the
main
stumbling block here. (...)
This obviously won't be enough for everyone's policy/compliance needs
though. In such strict managed deployments, I thing the libvirt virtua
network functionality is simply not going to be possible to use. Once
you've taken away the iptables setup, they there ceases to be much point
in using this functionality as it is. There are other libvirt APIs that
would suit better, such as the network interface management APIs we
recently added.
Which APIs do you think of? To me it looked like libvirt should become the
default configuration layer whenever you do something with virtual machines
(as it is configured by default, most configuration tools use it, ...).
Therefore I tried to make my setup work with libvirt to make use of all that
integration stuff...
Can you explain a little more about your routed setup ? In
particular,
are you trying to use the same IP address range for VMs and your LAN,
and thus just route a handful of IPs ?
Basically yes: This is a server in a data center with a couple of IPs that are
assigned by my provider (no subnet). So I assign one IP to my host and route
the others to libvirt interfaces so that my VMs can provide public services as
well.
I need a routed setup due to MAC address filtering in the switches.
I know libvirt won't cope with the former scenario
currently, since as you say it would need to know which IPs to route.
We can deal with the separate-subnet scenario though& that shouldn't
require any per-IP setup on the virt host
Actually there are not that many ipv4 addresses left so there are only 4 IPs
included in my plan (used to be 1 + subnet with 6 usable IPs). Therefore I get
only single IP addresses.
fs