[libvirt] How to prevent libvirt from adding iptables rules?
Daniel P. Berrange
berrange at redhat.com
Wed Apr 1 12:41:17 UTC 2009
On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
> At first I used the 'default' network (with a different rfc1918
> network)... everything was kinda working until I rebooted the host... at
> that point I lost connectivity between the outside world and the VMs.
> From inside the host I had no trouble connecting to the VMs.
>
> If I restarted shorewall (which actually cleans all iptables rules and
> regenerate them according to its configuration) everything works fine.
> After sending a report and some debugging in the shorewall mailing list,
> it was clear that libvirt was adding rules to iptables.
Yes, the libvirt virtual network capability adds iptables to control
traffic to/from the virtual network.
> After reading a bit
> (http://libvirt.org/formatnetwork.html#examplesPrivate) I created a new
> network called "isolated". I stopped default (and disabled its
> autostart), and defined and started isolated.
>
> This is the content of isolated.xml:
> <network>
> <name>isolated</name>
> <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid>
> <bridge name='virbr%d' stp='on' forwardDelay='0' />
> <ip address='10.3.14.1' netmask='255.255.255.0'>
> <dhcp>
> <range start='10.3.14.128' end='10.3.14.254' />
> </dhcp>
> </ip>
> </network>
>
> I modified my VMs to use isolated rather than default, but rules keep
> being added to iptables when libvirt-bin is started.
>
> Is there a way to convince libvirt not to add these rules?
No, libvirt needs to add the rules here because otherwise the guest
virtual network would not be guarenteed to be isolated from the host
network.
If this is a problem, then the best bet is to not use the virtual
network capability. Instead create a bridge device yourself using
distro network scripts, and do whatever routing/firewalling setup
you need for shorwall to work
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list