On Mon, 2008-08-04 at 14:28 -0700, David Lutterkort wrote:
On Thu, 2008-07-31 at 09:55 +0100, Daniel P. Berrange wrote:
The libvirt default networking capability will automatically setup the correct iptables rules to allow outbound NAT based connectivity for guest VMs. If this wasn't working there are two likely causes:
- You run 'service iptables stop' which blew away the rules libvirt added
This is a terrible situation; it will be a big surprise to many sysadmins and lead to lots of confusion
Agreed.
- is this only temporary until iptables/lokkit has facilities for cleaner addition of persistent firewall rules ?
There's no huge technical issue here AFAICS. We just need a hook for libvirt to persistently register its rules with iptables. The main objection seems to be the old "how do you prevent different sets of rules from conflicting" chestnut. I don't see that being a serious issue in practice - there are all sorts of other global namespaces that apps manage to share effectively. Feel free to take a look at this; I lose motivation for fixing this every time I go back and discuss it with the maintainer: https://bugzilla.redhat.com/227011 The truly depressing aspect of all this is that any fix we come up with would be Fedora specific anyway - e.g. /etc/sysconfig/iptables.d Cheers, Mark.