[libvirt] How to prevent libvirt from adding iptables rules?
Mariano Absatz
el.baby at gmail.com
Wed Apr 1 11:24:00 UTC 2009
I'm sorry... is this not the right place to ask this kind of
questions? Is there another more user-oriented list or forum?
TIA
On Tue, Mar 31, 2009 at 16:08, Mariano Absatz <el.baby at gmail.com> wrote:
> Hi,
>
> I'm new to libvirt but not a complete neophite.
>
> I'm using libvirt and kvm in ubuntu with "vmbuilder".
>
> I'm creating a couple of VMs inside a host that is directly connected to
> internet with a public routeable address. Since I only have one public
> address, I won't use bridging.
>
> I'm using shorewall (www.shorewall.net) to configure my iptables rules.
>
> I intend to use DNAT to route specific ports in the host to one or other VM.
>
> With standard masquerading, I give the VMs access to the outside world.
>
> At first I used the 'default' network (with a different rfc1918 network)...
> everything was kinda working until I rebooted the host... at that point I
> lost connectivity between the outside world and the VMs. From inside the
> host I had no trouble connecting to the VMs.
>
> If I restarted shorewall (which actually cleans all iptables rules and
> regenerate them according to its configuration) everything works fine. After
> sending a report and some debugging in the shorewall mailing list, it was
> clear that libvirt was adding rules to iptables.
>
> After reading a bit (http://libvirt.org/formatnetwork.html#examplesPrivate)
> I created a new network called "isolated". I stopped default (and disabled
> its autostart), and defined and started isolated.
>
> This is the content of isolated.xml:
> <network>
> <name>isolated</name>
> <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid>
> <bridge name='virbr%d' stp='on' forwardDelay='0' />
> <ip address='10.3.14.1' netmask='255.255.255.0'>
> <dhcp>
> <range start='10.3.14.128' end='10.3.14.254' />
> </dhcp>
> </ip>
> </network>
>
> I modified my VMs to use isolated rather than default, but rules keep being
> added to iptables when libvirt-bin is started.
>
> Is there a way to convince libvirt not to add these rules?
>
> Feel free to ask for any data that I didn't send here.
>
> TIA.
--
Mariano Absatz - El Baby
www.clueless.com.ar
#########################
"An archaeologist is the best husband a woman can have. The older she
gets the more intereste...
More information about the libvir-list
mailing list