(sorry, Daniel... I had only answered you instead of copying the list also) Daniel P. Berrange escribió el 01/04/09 09:41:
On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
At first I used the 'default' network (with a different rfc1918 network)... everything was kinda working until I rebooted the host... at that point I lost connectivity between the outside world and the VMs. From inside the host I had no trouble connecting to the VMs.
If I restarted shorewall (which actually cleans all iptables rules and regenerate them according to its configuration) everything works fine. After sending a report and some debugging in the shorewall mailing list, it was clear that libvirt was adding rules to iptables.
Yes, the libvirt virtual network capability adds iptables to control traffic to/from the virtual network.
After reading a bit (http://libvirt.org/formatnetwork.html#examplesPrivate) I created a new network called "isolated". I stopped default (and disabled its autostart), and defined and started isolated.
This is the content of isolated.xml: <network> <name>isolated</name> <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid> <bridge name='virbr%d' stp='on' forwardDelay='0' /> <ip address='10.3.14.1' netmask='255.255.255.0'> <dhcp> <range start='10.3.14.128' end='10.3.14.254' /> </dhcp> </ip> </network>
I modified my VMs to use isolated rather than default, but rules keep being added to iptables when libvirt-bin is started.
Is there a way to convince libvirt not to add these rules?
No, libvirt needs to add the rules here because otherwise the guest virtual network would not be guarenteed to be isolated from the host network.
If this is a problem, then the best bet is to not use the virtual network capability. Instead create a bridge device yourself using distro network scripts, and do whatever routing/firewalling setup you need for shorwall to work
Daniel
I see.. so I can't just ask libvirt to create the bridge for me and not touch iptables rules... I chose "isolated" just hoping that would be the way of preventing the addition of iptables rules... The problem at this time is that, other than the rules I see libvirt adds are conflicting with my rules (since they are inserted at the top of INPUT and FORWARD before mine): Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp dpt:53 0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:53 0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp dpt:67 0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:67 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all -- vnet0 vnet0 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> - 0 0 REJECT all -- * vnet0 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-port-unreachable - 0 0 REJECT all -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-port-unreachable Well... for the time being, I think I'll add a "shorewall restart" at the end of rc.local which will kill these rules and leave only the ones that shorewall generates... -- Mariano Absatz - "El Baby" el.baby@gmail.com www.clueless.com.ar -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Light travels faster than sound. This is why some people appear bright until you hear them speak. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- * TagZilla 0.066 * http://tagzilla.mozdev.org