8:09 a.m.
Hi
I am right now undertaking a project which deals with verification of
firewall rules. I wish to know which applications/libraries modify/query
firewall rules. I came to know that libvirt modifies iptables rules. Can
anyone let me know for what purposes/how libvirt modifies the rules?
Thanks & Regards
Varrun Ramani
4:02 p.m.
Am 07.03.2010 15:09, schrieb Varrun Ramani:
I am right now undertaking a project which deals with verification
of
firewall rules. I wish to know which applications/libraries modify/query
firewall rules. I came to know that libvirt modifies iptables rules. Can
anyone let me know for what purposes/how libvirt modifies the rules?
I suggest you look through the archives, the topic comes up pretty regularly.
Bottom line:
- It should 'just work' for most users.
- iptables modification are considered safe, more complex setups are out of
scope for libvirt.
example thread (with patch to disable iptables)
http://thread.gmane.org/gmane.comp.emulators.libvirt/19438/focus=19456
fs
1:25 p.m.
On Mon, 2010-03-08 at 23:02 +0100, Felix Schwarz wrote:
Am 07.03.2010 15:09, schrieb Varrun Ramani:
> I am right now undertaking a project which deals with verification of
> firewall rules. I wish to know which applications/libraries modify/query
> firewall rules. I came to know that libvirt modifies iptables rules. Can
> anyone let me know for what purposes/how libvirt modifies the rules?
I suggest you look through the archives, the topic comes up pretty regularly.
Bottom line:
- It should 'just work' for most users.
- iptables modification are considered safe, more complex setups are out of
scope for libvirt.
How do you define 'safe' in this context ?
David
11:42 a.m.
On Sun, Mar 07, 2010 at 07:39:59PM +0530, Varrun Ramani wrote:
Hi
I am right now undertaking a project which deals with verification of
firewall rules. I wish to know which applications/libraries modify/query
firewall rules. I came to know that libvirt modifies iptables rules. Can
anyone let me know for what purposes/how libvirt modifies the rules?
The 'virtual network' functionality in libvirt sets up a isolated bridge
device, to which guests are connected. libvirt uses iptables to control
what happens to traffic on that bridge device. Either we stop it leaving
the bridge entirely (only VM<->VM and VM<->host), or allow it to get to
the LAN either routing a subnet, or using NAT to masquerade it. The
rules are written such that they only match traffic relating to the
configured bridge device in libvirt, so they shouldn't expose the rest of
the host interfaces to any new traffic risks
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
5402
days inactive
5410
days old
3 comments
4 participants
participants (4)
-
Daniel P. Berrange -
David Lutterkort -
Felix Schwarz -
Varrun Ramani