[libvirt] Don't add iptables rules when creating networks

Daniel P. Berrange berrange at redhat.com
Mon Dec 21 12:04:34 UTC 2009

On Sun, Dec 20, 2009 at 07:19:06PM +0100, Felix Schwarz wrote:
> Hi,
> I just found out that libvirt always add some iptables rules if it creates 
> a natted (or routed) network. There were a couple of mailing list posts 
> about this so I'm pretty sure this is not news to you.
> I don't want to go into the debate if your approach is sensible or not (I 
> guess there are some use cases where I kind of like it). However on my 
> server machine I really need full control over my (rather complicated) 
> firewall settings.
> Currently the newly added rules really create a lot of problems for me. For 
> example if I manage to have a good configuration after startup and then 
> start a libvirt network afterwards, it will inject its rules at the start 
> of the FORWARD queue (even though the same parameters are already present 
> at the end!). On every net start there will be more duplicated rules and 
> they will take preference over my existing rules.

There shold never be duplicated rules. If you stop a libvirt virutal network,
it will remove its previously added rules, so there should be no duplication
next time it is started. If removal isn't working, that's a bug to be fixed.

Can you outline how your desired configuration for libvirt NAT mode is
different from what libvirt already does ? The goal for this is to be 
totally zero-conf, so that fact that you can't use the default setup
shows something is lacking in our impl & I'd prefer to identify what
that is rather than blindly disabling it. In addition the libvirt rules
are written to try & ensure that they only impact traffic to/from the
subnet that is configured in the libvirt network, to avoid causing problems
for other rules you might have already configured.

> Besides that specific issue I think this is only one tiny problem compared 
> to others (central configuration of firewall rules, auditing requirements, 
> ...).
> Therefore I would like to have some kind 'power user' flag that prevents 
> libvirt from adding any filter rules. I'm fine with activating it manually 
> as long as I don't have to patch libvirt.

This isn't really something we want to support. As I mention above we
want to make sure this works out of the box without manual config. 

The one change we do want to make to the setup, is to move all the rules
into dedicated chains (libvirt_INPUT, libvirt_FORWARD, etc) so that we
only add a single rule to the main INPUT/FORWARD chains. 

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list