[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] How to prevent libvirt from adding iptables rules?



On Mon, Apr 06, 2009 at 02:36:16PM +0200, Ludwig Nussel wrote:
> Daniel P. Berrange wrote:
> > On Thu, Apr 02, 2009 at 10:16:13AM +0200, Ludwig Nussel wrote:
> > > Daniel P. Berrange wrote:
> > > > On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote:
> > > > > [...]
> > > > > I modified my VMs to use isolated rather than default, but rules keep 
> > > > > being added to iptables when libvirt-bin is started.
> > > > > 
> > > > > Is there a way to convince libvirt not to add these rules?
> > > > 
> > > > No, libvirt needs to add the rules here because otherwise the guest
> > > > virtual network would not be guarenteed to be isolated from the host
> > > > network.
> > > 
> > > Messing with iptables rules isn't guaranteed to work either. Esp if the
> > > existing firewall is re-run. SuSEfirewall2 for example runs when
> > > interfaces come or go so it will kill any rules that someone added
> > > behind it's back.
> > 
> > We have a similar issue with the Fedora equivalent of SuSSfirewall, and
> > it provides a mechanism for us to register the set of rules we want, so
> > when it is re-run, it re-adds our rules.
> 
> SuSEfirewall2 does not have such a mechanism and TBH I pretty much
> dislike the idea of allowing applications to inject arbitrary rules.
> I'd prefer some higher level abstraction so it's left to the
> firewall to decide how to translate the request into actual iptables
> rules (or whatever else technology is used in the background).

I don't much like it either, but currently there isn't any other viable
way to provide good network connectivity out of the box, with zero 
configuration required by the user. In the perfect world we could
delegate setup to NetworkManager, and indeed NM's latest connection
sharing capabilities does very similar things with IPtables that
libvirt does - we worked with the NM developers to make sure our
stuff was compatible. So there's potentiall for more work with NM if
someone's interested in pursuing that direction

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]