[libvirt-users] port forwarding
Ireneusz Szcześniak
irek.szczesniak at gmail.com
Thu Apr 28 20:01:30 UTC 2011
Hi Laine and Whit,
Thank you for the information. I will look into hooks -- this looks
like the right choice.
Best,
Irek
On 28.04.2011 18:15, Laine Stump wrote:
> On 04/28/2011 10:56 AM, Whit Blauvelt wrote:
>> On Thu, Apr 28, 2011 at 10:41:11AM -0400, Laine Stump wrote:
>>> On 04/28/2011 09:15 AM, Ireneusz Szcześniak wrote:
>>>> I would like to reach the VM on a specific port of the host
>>>> machine. Once the machinces are running, I can configure iptables
>>>> so that the port forwarding works, but after host reboots, other
>>>> rules are inserted (put in front of my rules), which disable my
>>>> rules. I guess these rules are put by libvirt, and so I'm writing
>>>> to this list.
>>> Yes, these rules are put in by libvirt.
>>>
>>> The iptables rules added by libvirt for virtual networks are
>>> intended to fulfill the needs of 95% of users, but are not
>>> configurable. To do what you want, you'll either need to construct
>>> your own bridge (rather than relying on libvirt) and do all the
>>> iptables and routing config outside of libvirt, or you may be able
>>> to use libvirt execution hooks to add the rules at the appropriate
>>> time. See: http://www.libvirt.org/hooks.html for details on libvirt
>>> hook scripts.
>>>> ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
>> If all you need to do is change that one rule to
>> "NEW,RELATED,ESTABLISHED"
>> iptables has an option to replace a rule.
>
> This would have the side effect of generating a warning log the next
> time libvirt brought down the network, and would also leave around the
> old rule (libvirt remove's its rules when the network is stopped by
> describing exactly the rule it created; if that exact rule doesn't exist
> when the network is being stopped, it will give a warning, and also not
> remove this "similar but different" rule).
>
>
>> Sorry I don't have the syntax at
>> my fingertips, but it should be simple enough to modify the rule on
>> system
>> startup after libvirt has built the initial ruleset, perhaps in rc.local.
>
> That would be overridden any time libvirtd was restarted, or the virtual
> network in question was stopped/restarted. That's why I suggested
> looking into libvirt's hooks - with the proper hook, the extra iptables
> commands could happen exactly when needed (I haven't checked to see if
> "the proper hook" exists, but if not then "patches welcome" :-)
>
>> Whit
>> _______________________________________________
>> libvirt-users mailing list
>> libvirt-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvirt-users
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
--
Ireneusz (Irek) Szczesniak
http://www.irkos.org
More information about the libvirt-users
mailing list