[libvirt-users] Best practice for custom iptables rules

[ZeroUno]

Hi,
I'm using libvirt to manage some VMs on a CentOS host, and I need some 
custom iptables rules to always be in place for some communications to 
happen, e.g. between the VMs and the outside world in both directions.

Some of these rules need to be at the top of the iptables chain, 
otherwise the default rules added by libvirt would block the 
communications I need.
So I cannot just add the rules in /etc/sysconfig/iptables, because 
libvirt adds its own rules _before_ the rules contained in this config file.

I was looking at filters, but maybe not every rule can be made into a 
filter?
Specifically, I need a rule for the POSTROUTING chain in the "nat" 
table. Can it be added through filters?

Also, regarding the "iptables restart problem" described in the last 
paragraph at <http://libvirt.org/firewall.html>, is there really no 
acceptable way to make libvirt add its rules back automatically upon 
iptables/network restart?

Thanks for any info.
Marco

-- 
01