Re: [libvirt-users] KVM + libvirt + nftables without iptables?
Michal Privoznik <mprivozn(a)redhat.com> wrote:
On 10/18/2018 10:14 AM, Daniel P. Berrangé wrote:
> On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote:
>> Hi everyone,
>>
>> I use Debian 9.5 Stretch and NFTABLES as a firewall.
>> Using NFTABLES together with IPTABLES is not recommended,
>> but libvirt depends on IPTABLES.
>>
>> Is it safe to run libvirt + kvm + virsh without IPTABLES?
>>
>> By the doc https://libvirt.org/firewall.html,
>> IPTABLES are used for settingup filtering which I do not need.
>
> Currently it is *NOT* ok.
Pardon me if I misread the question but I think Roman is actually
asking if he turns off iptables in libvirt.
Thank you Michal, you said it exactly.
I only use nftables.
I need to remove iptables and set libvirt to work without them.
Well, that would work but
all the forwarding rules, rules that prevent one domain to see
traffic of the other, etc - you would have to do them yourself. Or
trust your guests.
Yes, I understand and I will create rules manually with NFTABLES.
And I also manage all kvm guests.
I've found some tips on how to "turn off" iptables in libvirt:
virsh net-destroy default
virsh net-autostart --disable default
Is this the right and safe way to remove all dependency to iptables?
Thank you,
Roman