[libvirt] How to prevent libvirt from adding iptables rules?

Daniel P. Berrange berrange at redhat.com
Thu Apr 2 09:59:45 UTC 2009

On Thu, Apr 02, 2009 at 10:16:13AM +0200, Ludwig Nussel wrote:
> Daniel P. Berrange wrote:
> > On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
> > > [...]
> > > I modified my VMs to use isolated rather than default, but rules keep 
> > > being added to iptables when libvirt-bin is started.
> > > 
> > > Is there a way to convince libvirt not to add these rules?
> > 
> > No, libvirt needs to add the rules here because otherwise the guest
> > virtual network would not be guarenteed to be isolated from the host
> > network.
> Messing with iptables rules isn't guaranteed to work either. Esp if the
> existing firewall is re-run. SuSEfirewall2 for example runs when
> interfaces come or go so it will kill any rules that someone added
> behind it's back.

We have a similar issue with the Fedora equivalent of SuSSfirewall, and
it provides a mechanism for us to register the set of rules we want, so
when it is re-run, it re-adds our rules.

As a failsafe, sending SIGHUP to libvirtd will make it re-add its rules
so if there's some post-config hook for SuSEfirewall, it could be made
to SIGHUP the libvirtd daemon.

> What kind of iptables rules do you need to install?

It depends on the particular config, but it is adding sets of rules
against the IP range & bridge device config for the interface we add
to allow / disallow forwarding of traffic.

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list