[libvirt] Don't add iptables rules when creating networks

Felix Schwarz felix.schwarz at oss.schwarz.eu
Sun Jan 24 14:06:34 UTC 2010

Am 21.12.2009 16:00, schrieb Daniel P. Berrange:
>> My issues:
>> 1) INPUT chain ACCEPTs DNS/dhcp from outside
>> You might notice that the INPUT chain basically says that I ACCEPT all
>> DNS/dhcp from all interfaces. I don't want that. As soon as I configure a
>> packet filter (e.g. shorewall), libvirt's configuration will take
>> precedence.
> No it doesn't say that. You are missing the '-v' flag to list the rules.
> If you add that you'll see that the rules are *different* and they all
> explicitly include the name of the bridge interface associated with the
> libvirt network

You're right - actually I did not check closely enough. Sorry for that.

> I agree that corporate policy/compliance issues are probably the main
> stumbling block here. (...)
> This obviously won't be enough for everyone's policy/compliance needs
> though.  In such strict managed deployments, I thing the libvirt virtua
> network functionality is simply not going to be possible to use. Once
> you've taken away the iptables setup, they there ceases to be much point
> in using this functionality as it is. There are other libvirt APIs that
> would suit better, such as the network interface management APIs we
> recently added.

Which APIs do you think of? To me it looked like libvirt should become the 
default configuration layer whenever you do something with virtual machines 
(as it is configured by default, most configuration tools use it, ...). 
Therefore I tried to make my setup work with libvirt to make use of all that 
integration stuff...

> Can you explain a little more about your routed setup ? In particular,
> are you trying to use the same IP address range for VMs and your LAN,
> and thus just route a handful of IPs ?

Basically yes: This is a server in a data center with a couple of IPs that are 
assigned by my provider (no subnet). So I assign one IP to my host and route 
the others to libvirt interfaces so that my VMs can provide public services as 

I need a routed setup due to MAC address filtering in the switches.

> I know libvirt won't cope with the former scenario
> currently, since as you say it would need to know which IPs to route.
> We can deal with the separate-subnet scenario though&  that shouldn't
> require any per-IP setup on the virt host

Actually there are not that many ipv4 addresses left so there are only 4 IPs 
included in my plan (used to be 1 + subnet with 6 usable IPs). Therefore I get 
only single IP addresses.


