[libvirt] How to prevent libvirt from adding iptables rules?
Thomas Woerner
twoerner at redhat.com
Wed Apr 15 13:53:40 UTC 2009
Daniel P. Berrange wrote:
> On Mon, Apr 06, 2009 at 02:36:16PM +0200, Ludwig Nussel wrote:
>> Daniel P. Berrange wrote:
>>> On Thu, Apr 02, 2009 at 10:16:13AM +0200, Ludwig Nussel wrote:
>>>> Daniel P. Berrange wrote:
>>>>> On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
>>>>>> [...]
>>>>>> I modified my VMs to use isolated rather than default, but rules keep
>>>>>> being added to iptables when libvirt-bin is started.
>>>>>>
>>>>>> Is there a way to convince libvirt not to add these rules?
>>>>> No, libvirt needs to add the rules here because otherwise the guest
>>>>> virtual network would not be guarenteed to be isolated from the host
>>>>> network.
>>>> Messing with iptables rules isn't guaranteed to work either. Esp if the
>>>> existing firewall is re-run. SuSEfirewall2 for example runs when
>>>> interfaces come or go so it will kill any rules that someone added
>>>> behind it's back.
>>> We have a similar issue with the Fedora equivalent of SuSSfirewall, and
>>> it provides a mechanism for us to register the set of rules we want, so
>>> when it is re-run, it re-adds our rules.
>> SuSEfirewall2 does not have such a mechanism and TBH I pretty much
>> dislike the idea of allowing applications to inject arbitrary rules.
>> I'd prefer some higher level abstraction so it's left to the
>> firewall to decide how to translate the request into actual iptables
>> rules (or whatever else technology is used in the background).
>
> I don't much like it either, but currently there isn't any other viable
> way to provide good network connectivity out of the box, with zero
> configuration required by the user. In the perfect world we could
> delegate setup to NetworkManager, and indeed NM's latest connection
> sharing capabilities does very similar things with IPtables that
> libvirt does - we worked with the NM developers to make sure our
> stuff was compatible. So there's potentiall for more work with NM if
> someone's interested in pursuing that direction
>
> Daniel
Can you please define the requirements for a firewall interface for libvirt?
Thomas
More information about the libvir-list
mailing list