[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] Don't add iptables rules when creating networks


I just found out that libvirt always add some iptables rules if it creates a natted (or routed) network. There were a couple of mailing list posts about this so I'm pretty sure this is not news to you.

I don't want to go into the debate if your approach is sensible or not (I guess there are some use cases where I kind of like it). However on my server machine I really need full control over my (rather complicated) firewall settings.

Currently the newly added rules really create a lot of problems for me. For example if I manage to have a good configuration after startup and then start a libvirt network afterwards, it will inject its rules at the start of the FORWARD queue (even though the same parameters are already present at the end!). On every net start there will be more duplicated rules and they will take preference over my existing rules.

Besides that specific issue I think this is only one tiny problem compared to others (central configuration of firewall rules, auditing requirements, ...). Therefore I would like to have some kind 'power user' flag that prevents libvirt from adding any filter rules. I'm fine with activating it manually as long as I don't have to patch libvirt.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]