[Libvir] Persistence / re-instate of iptables rules
Daniel P. Berrange
berrange at redhat.com
Wed Mar 21 03:18:11 UTC 2007
With the virtual networking capability we have to add various rules to the
iptables chains to ensure that outgoing connections are forwarded + NATed
to the physical LAN. Now if the user does 'service iptables restart' these
rules are lost until you restart the VM. This obviously sucks.
We've been exploring the possibility of adapting the Fedora / RHEL iptables
scripts to allow user-defined chains which are automatically restored from
a 'safe' config file during a restart. This is not present in FC6 / RHEL5
or even F6 yet, nor does it help non-Fedora userrs.
We already have ability to add / remove rules from iptables, so I was
wondering how hard it would be to list existing rules. From whence we can
look at existing rules to see if our virtual network forwarding/NAT rules
were missing. The idea being that a simple 'killall -SIGHUP libvirt_qemud'
could trigger libvirt to check & re-add the iptables rules if missing.
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
More information about the libvir-list
mailing list