[libvirt] How to prevent libvirt from adding iptables rules?

Mariano Absatz el.baby at gmail.com
Tue Mar 31 19:08:24 UTC 2009


Hi,

I'm new to libvirt but not a complete neophite.

I'm using libvirt and kvm in ubuntu with "vmbuilder".

I'm creating a couple of VMs inside a host that is directly connected to 
internet with a public routeable address. Since I only have one public 
address, I won't use bridging.

I'm using shorewall (www.shorewall.net) to configure my iptables rules.

I intend to use DNAT to route specific ports in the host to one or other VM.

With standard masquerading, I give the VMs access to the outside world.

At first I used the 'default' network (with a different rfc1918 
network)... everything was kinda working until I rebooted the host... at 
that point I lost connectivity between the outside world and the VMs. 
 From inside the host I had no trouble connecting to the VMs.

If I restarted shorewall (which actually cleans all iptables rules and 
regenerate them according to its configuration) everything works fine. 
After sending a report and some debugging in the shorewall mailing list, 
it was clear that libvirt was adding rules to iptables.

After reading a bit 
(http://libvirt.org/formatnetwork.html#examplesPrivate) I created a new 
network called "isolated". I stopped default (and disabled its 
autostart), and defined and started isolated.

This is the content of isolated.xml:
<network>
  <name>isolated</name>
  <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid>
  <bridge name='virbr%d' stp='on' forwardDelay='0' />
  <ip address='10.3.14.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='10.3.14.128' end='10.3.14.254' />
    </dhcp>
  </ip>
</network>

I modified my VMs to use isolated rather than default, but rules keep 
being added to iptables when libvirt-bin is started.

Is there a way to convince libvirt not to add these rules?

Feel free to ask for any data that I didn't send here.

TIA.

-- 
Mariano Absatz - "El Baby"
el.baby at gmail.com
www.clueless.com.ar


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
An expert is a person who has made all the mistakes
that can be made in a very narrow field.
        Niels Bohr
        Danish physicist (1885 - 1962)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org




More information about the libvir-list mailing list