[Libvir] Persistence / re-instate of iptables rules
Mark McLoughlin
markmc at redhat.com
Wed Mar 21 13:58:36 UTC 2007
Hey,
Just for reference ...
On Wed, 2007-03-21 at 03:18 +0000, Daniel P. Berrange wrote:
> With the virtual networking capability we have to add various rules to the
> iptables chains to ensure that outgoing connections are forwarded + NATed
> to the physical LAN. Now if the user does 'service iptables restart' these
> rules are lost until you restart the VM. This obviously sucks.
>
> We've been exploring the possibility of adapting the Fedora / RHEL iptables
> scripts to allow user-defined chains which are automatically restored from
> a 'safe' config file during a restart. This is not present in FC6 / RHEL5
> or even F6 yet, nor does it help non-Fedora userrs.
Here's the bug on this:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227011
> We already have ability to add / remove rules from iptables, so I was
> wondering how hard it would be to list existing rules. From whence we can
> look at existing rules to see if our virtual network forwarding/NAT rules
> were missing. The idea being that a simple 'killall -SIGHUP libvirt_qemud'
> could trigger libvirt to check & re-add the iptables rules if missing.
I sent on a patch in another mail to do this.
Cheers,
Mark.
More information about the libvir-list
mailing list