[libvirt] default networking issues
Mark McLoughlin
markmc at redhat.com
Thu Aug 7 11:24:50 UTC 2008
On Mon, 2008-08-04 at 14:28 -0700, David Lutterkort wrote:
> On Thu, 2008-07-31 at 09:55 +0100, Daniel P. Berrange wrote:
> > The libvirt default networking capability will automatically setup the
> > correct iptables rules to allow outbound NAT based connectivity for guest
> > VMs. If this wasn't working there are two likely causes:
> >
> > - You run 'service iptables stop' which blew away the rules libvirt
> > added
>
> This is a terrible situation; it will be a big surprise to many
> sysadmins and lead to lots of confusion
Agreed.
> - is this only temporary until iptables/lokkit has facilities for
> cleaner addition of persistent firewall rules ?
There's no huge technical issue here AFAICS. We just need a hook for
libvirt to persistently register its rules with iptables.
The main objection seems to be the old "how do you prevent different
sets of rules from conflicting" chestnut. I don't see that being a
serious issue in practice - there are all sorts of other global
namespaces that apps manage to share effectively.
Feel free to take a look at this; I lose motivation for fixing this
every time I go back and discuss it with the maintainer:
https://bugzilla.redhat.com/227011
The truly depressing aspect of all this is that any fix we come up with
would be Fedora specific anyway - e.g. /etc/sysconfig/iptables.d
Cheers,
Mark.
More information about the libvir-list
mailing list