[fedora-virt] virbr0 messing with iptables rules?
Mark McLoughlin
markmc at redhat.com
Fri Oct 23 11:04:09 UTC 2009
On Wed, 2009-10-21 at 13:47 +0200, Kenni Lund wrote:
> Hi
>
> I just did a full system update on my F11 server, but after a reboot,
> new rules were appended to my iptables setup.
>
> The iptables and ip6tables services are both disabled:
> # chkconfig |grep ip.*tables
> ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
> iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
>
> I set my iptables rules in a custom firewall script in /etc/rc.local,
> which starts out by flushing all rules.
> Eg. if I run the script manually after boot, it will "fix" the issue.
>
> The extra rules appended are:
> -----
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp
> dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:domain
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere 192.168.122.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 anywhere
> ACCEPT all -- anywhere anywhere
> REJECT all -- anywhere anywhere
> reject-with icmp-port-unreachable
> REJECT all -- anywhere anywhere
> reject-with icmp-port-unreachable
> -----
>
> I suppose that these rules are related to libvirt, since I have a
> virbr0 interface with the IP-address 192.168.122.1. Apparently the
> update changed something, so these firewall rules are appended after
> /etc/rc.local runs my custom firewall script.
>
> What is the correct solution to this? In general, isn't it a bad
> design decision to have a service mess with the iptables rules,
> instead of doing this through the iptables/ip6tables services? I would
> not expect other services to mess with my rules, when I explicitly
> disabled the build-in iptables services.
Yeah, we're not happy with the way we're integrating with iptables. We
proposed one way of doing it and tried out the counter-proposal, but
we're back to square one again. The whole saga is documented here:
https://bugzilla.redhat.com/227011
> I only use bridged networking for my virtual machines, so I don't
> suppose that I need the virbr0 interface after all. Can I disable it
> somewhere?
This should do it:
$> virsh net-destroy default
$> virsh net-autostart --disable default
Cheers,
Mark.
More information about the Fedora-virt
mailing list