[libvirt-users] Best practice for custom iptables rules
Laine Stump
laine at laine.org
Thu Jan 9 12:44:14 UTC 2014
On 01/09/2014 02:07 PM, ZeroUno wrote:
> Il 09/01/14 11:38, ZeroUno ha scritto:
>
>> Il 08/01/14 16:17, Laine Stump ha scritto:
>>> http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
>>
>> interesting!), AFAICT this might help with adding rules to the NAT
>> table, which was the first part of my question, but does not help with
>
> ...also, it appears that the hook script /etc/libvirt/hooks/daemon to
> be called when the libvirt daemon is started is actually called
> _before_ libvirt adds its own iptables rules, because I am not able to
> insert my custom rule at the top of the chain.
>
> Maybe I might use the qemu script which is called each time a guest is
> started/stopped, by inserting some checks to prevent duplicates, but
> it becomes even more "hackish"... :)
Interesting point, and one which reinforces the idea that a network
event hook script might be a nice thing to have (although adding in
callout to an externally-created shell script always has security
implications, especially for a process running as root).
More information about the libvirt-users
mailing list