[libvirt-users] Is there a way to suppress netfilter rules (default.xml)?
Oliver Schneider
Borbarad at gmxpro.net
Thu Jan 27 02:41:09 UTC 2011
Hi,
in order to get hook scripts to work, I used a backported version of
libvirtd on Ubuntu 10.04 LTS. Here are the details:
Compiled against library: libvir 0.8.3
Using library: libvir 0.8.3
Using API: QEMU 0.8.3
Running hypervisor: QEMU 0.12.5
After adjusting the apparmor profile to accept the hook scripts under
/etc/libvirt/hooks/, I am able to start and stop domains again, but only
the script named "daemon" gets executed, the one named "qemu" gets
ignored. All my domains are KVM domains. I thought the "qemu" script
should apply to that?!
My actual goal is to suppress the rules or better yet execute my own
script (in order to amend or replace the libvirt rules) after insertion
of the "default" rules during startup of the daemon. The reason being
that I need to do some PNAT and other custom handling ...
So far I have not been able to catch the state where the bridge has
already been created and the rules inserted. Thus I've had to manipulate
the firewall rules manually (well, still scripted ;)) after booting the
host.
Any ideas?
Thanks,
// Oliver
PS: Side-note, I tried using the newfilter facilities, but there seems
to be no way to insert rules at the start of a chain and similar things.
PPS: # cat /etc/libvirt/qemu/networks/default.xml
<network>
<name>default</name>
<bridge name="virbr%d" />
<forward/>
<ip address="192.168.122.1" netmask="255.255.255.0" />
</network>
More information about the libvirt-users
mailing list