[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] KVM + libvirt + nftables without iptables?

Michal Privoznik <mprivozn redhat com> wrote:

> On 10/18/2018 10:14 AM, Daniel P. Berrangé wrote:
> > On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote:  
> >> Hi everyone,
> >>
> >> I use Debian 9.5 Stretch and NFTABLES as a firewall.
> >> Using NFTABLES  together with IPTABLES is not recommended,
> >> but libvirt depends on IPTABLES.
> >>
> >> Is it safe to run libvirt + kvm + virsh without IPTABLES?
> >>
> >> By the doc https://libvirt.org/firewall.html,
> >> IPTABLES are used for settingup filtering which I do not need.  
> > 
> > Currently it is *NOT* ok.  
> Pardon me if I misread the question but I think Roman is actually
> asking if he turns off iptables in libvirt.

Thank you Michal, you said it exactly.
I only use nftables.
I need to remove iptables and set libvirt to work without them.

> Well, that would work but
> all the forwarding rules, rules that prevent one domain to see
> traffic of the other, etc - you would have to do them yourself. Or
> trust your guests.

Yes, I understand and I will create rules manually with NFTABLES.
And I also manage all kvm guests.

I've found some tips on how to "turn off" iptables in libvirt:

 virsh net-destroy default
 virsh net-autostart --disable default

Is this the right and safe way to remove all dependency to iptables?

Thank you,


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]