[libvirt] How to prevent libvirt from adding iptables rules?

Mariano Absatz el.baby at gmail.com
Thu Apr 2 21:10:02 UTC 2009


(sorry, Daniel... I had only answered you instead of copying the list also)

Daniel P. Berrange escribió el 01/04/09 09:41:
> On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
>   
>> At first I used the 'default' network (with a different rfc1918 
>> network)... everything was kinda working until I rebooted the host... at 
>> that point I lost connectivity between the outside world and the VMs. 
>> From inside the host I had no trouble connecting to the VMs.
>>
>> If I restarted shorewall (which actually cleans all iptables rules and 
>> regenerate them according to its configuration) everything works fine. 
>> After sending a report and some debugging in the shorewall mailing list, 
>> it was clear that libvirt was adding rules to iptables.
>>     
>
> Yes, the libvirt virtual network capability adds iptables to control
> traffic to/from the virtual network.
>
>   
>> After reading a bit 
>> (http://libvirt.org/formatnetwork.html#examplesPrivate) I created a new 
>> network called "isolated". I stopped default (and disabled its 
>> autostart), and defined and started isolated.
>>
>> This is the content of isolated.xml:
>> <network>
>>  <name>isolated</name>
>>  <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid>
>>  <bridge name='virbr%d' stp='on' forwardDelay='0' />
>>  <ip address='10.3.14.1' netmask='255.255.255.0'>
>>    <dhcp>
>>      <range start='10.3.14.128' end='10.3.14.254' />
>>    </dhcp>
>>  </ip>
>> </network>
>>
>> I modified my VMs to use isolated rather than default, but rules keep 
>> being added to iptables when libvirt-bin is started.
>>
>> Is there a way to convince libvirt not to add these rules?
>>     
>
> No, libvirt needs to add the rules here because otherwise the guest
> virtual network would not be guarenteed to be isolated from the host
> network.
>
> If this is a problem, then the best bet is to not use the virtual
> network capability. Instead create a bridge device yourself using
> distro network scripts, and do whatever routing/firewalling setup 
> you need for shorwall to work
>
> Daniel
>   
I see.. so I can't just ask libvirt to create the bridge for me and not

touch iptables rules...  I chose "isolated" just hoping that would be
the way of preventing the addition of iptables rules...

The problem at this time is that, other than the rules I see libvirt
adds are conflicting with my rules (since they are inserted at the top
of INPUT and FORWARD before mine):

 Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source        destination
    0     0 ACCEPT     udp  --  vnet0  *       0.0.0.0/0 <http://0.0.0.0/0>      0.0.0.0/0 <http://0.0.0.0/0>  udp dpt:53 
    0     0 ACCEPT     tcp  --  vnet0  *       0.0.0.0/0 <http://0.0.0.0/0>      0.0.0.0/0 <http://0.0.0.0/0>  tcp dpt:53 
    0     0 ACCEPT     udp  --  vnet0  *       0.0.0.0/0 <http://0.0.0.0/0>      0.0.0.0/0 <http://0.0.0.0/0>  udp dpt:67 
    0     0 ACCEPT     tcp  --  vnet0  *       0.0.0.0/0 <http://0.0.0.0/0>      0.0.0.0/0 <http://0.0.0.0/0>  tcp dpt:67 


 Chain FORWARD (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source        destination
-    0     0 ACCEPT     all  --  vnet0  vnet0   0.0.0.0/0 <http://0.0.0.0/0>     0.0.0.0/0 <http://0.0.0.0/0>           
-    0     0 REJECT     all  --  *      vnet0   0.0.0.0/0 <http://0.0.0.0/0>     0.0.0.0/0 <http://0.0.0.0/0>  reject-with icmp-port-unreachable 
-    0     0 REJECT     all  --  vnet0  *       0.0.0.0/0 <http://0.0.0.0/0>     0.0.0.0/0 <http://0.0.0.0/0>  reject-with icmp-port-unreachable 


Well... for the time being, I think I'll add a "shorewall restart" at
the end of rc.local which will kill these rules and leave only the ones
that shorewall generates...


-- 
Mariano Absatz - "El Baby"
el.baby at gmail.com
www.clueless.com.ar


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Light travels faster than sound. This is why some
people appear bright until you hear them speak.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org




More information about the libvir-list mailing list