Re: [libvirt] default networking issues
On Mon, 2008-08-04 at 14:28 -0700, David Lutterkort wrote:
On Thu, 2008-07-31 at 09:55 +0100, Daniel P. Berrange wrote:
> The libvirt default networking capability will automatically setup the
> correct iptables rules to allow outbound NAT based connectivity for guest
> VMs. If this wasn't working there are two likely causes:
>
> - You run 'service iptables stop' which blew away the rules libvirt
> added
This is a terrible situation; it will be a big surprise to many
sysadmins and lead to lots of confusion
Agreed.
- is this only temporary until iptables/lokkit has facilities for
cleaner addition of persistent firewall rules ?
There's no huge technical issue here AFAICS. We just need a hook for
libvirt to persistently register its rules with iptables.
The main objection seems to be the old "how do you prevent different
sets of rules from conflicting" chestnut. I don't see that being a
serious issue in practice - there are all sorts of other global
namespaces that apps manage to share effectively.
Feel free to take a look at this; I lose motivation for fixing this
every time I go back and discuss it with the maintainer:
https://bugzilla.redhat.com/227011
The truly depressing aspect of all this is that any fix we come up with
would be Fedora specific anyway - e.g. /etc/sysconfig/iptables.d
Cheers,
Mark.