[libvirt] default networking issues

Mark McLoughlin markmc at redhat.com
Thu Aug 7 11:24:50 UTC 2008


On Mon, 2008-08-04 at 14:28 -0700, David Lutterkort wrote:
> On Thu, 2008-07-31 at 09:55 +0100, Daniel P. Berrange wrote:
> > The libvirt default networking capability  will automatically setup the
> > correct iptables rules to allow outbound NAT based connectivity for guest
> > VMs. If this wasn't working there are two likely causes:
> > 
> >  - You run 'service iptables stop' which blew away the rules libvirt
> >    added
> 
> This is a terrible situation; it will be a big surprise to many
> sysadmins and lead to lots of confusion

Agreed.

>  - is this only temporary until iptables/lokkit has facilities for
> cleaner addition of persistent firewall rules ?

There's no huge technical issue here AFAICS. We just need a hook for
libvirt to persistently register its rules with iptables.

The main objection seems to be the old "how do you prevent different
sets of rules from conflicting" chestnut. I don't see that being a
serious issue in practice - there are all sorts of other global
namespaces that apps manage to share effectively.

Feel free to take a look at this; I lose motivation for fixing this
every time I go back and discuss it with the maintainer:

  https://bugzilla.redhat.com/227011

The truly depressing aspect of all this is that any fix we come up with
would be Fedora specific anyway - e.g. /etc/sysconfig/iptables.d

Cheers,
Mark.




More information about the libvir-list mailing list