[libvirt] How to prevent libvirt from adding iptables rules?
Daniel P. Berrange
berrange at redhat.com
Thu Apr 2 09:59:45 UTC 2009
On Thu, Apr 02, 2009 at 10:16:13AM +0200, Ludwig Nussel wrote:
> Daniel P. Berrange wrote:
> > On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
> > > [...]
> > > I modified my VMs to use isolated rather than default, but rules keep
> > > being added to iptables when libvirt-bin is started.
> > >
> > > Is there a way to convince libvirt not to add these rules?
> > No, libvirt needs to add the rules here because otherwise the guest
> > virtual network would not be guarenteed to be isolated from the host
> > network.
> Messing with iptables rules isn't guaranteed to work either. Esp if the
> existing firewall is re-run. SuSEfirewall2 for example runs when
> interfaces come or go so it will kill any rules that someone added
> behind it's back.
We have a similar issue with the Fedora equivalent of SuSSfirewall, and
it provides a mechanism for us to register the set of rules we want, so
when it is re-run, it re-adds our rules.
As a failsafe, sending SIGHUP to libvirtd will make it re-add its rules
so if there's some post-config hook for SuSEfirewall, it could be made
to SIGHUP the libvirtd daemon.
> What kind of iptables rules do you need to install?
It depends on the particular config, but it is adding sets of rules
against the IP range & bridge device config for the interface we add
to allow / disallow forwarding of traffic.
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list