[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Don't add iptables rules when creating networks





Am 21.12.2009 16:00, schrieb Daniel P. Berrange:
My issues:
1) INPUT chain ACCEPTs DNS/dhcp from outside

You might notice that the INPUT chain basically says that I ACCEPT all
DNS/dhcp from all interfaces. I don't want that. As soon as I configure a
packet filter (e.g. shorewall), libvirt's configuration will take
precedence.

No it doesn't say that. You are missing the '-v' flag to list the rules.
If you add that you'll see that the rules are *different* and they all
explicitly include the name of the bridge interface associated with the
libvirt network

You're right - actually I did not check closely enough. Sorry for that.

I agree that corporate policy/compliance issues are probably the main
stumbling block here. (...)

This obviously won't be enough for everyone's policy/compliance needs
though.  In such strict managed deployments, I thing the libvirt virtua
network functionality is simply not going to be possible to use. Once
you've taken away the iptables setup, they there ceases to be much point
in using this functionality as it is. There are other libvirt APIs that
would suit better, such as the network interface management APIs we
recently added.

Which APIs do you think of? To me it looked like libvirt should become the default configuration layer whenever you do something with virtual machines (as it is configured by default, most configuration tools use it, ...). Therefore I tried to make my setup work with libvirt to make use of all that integration stuff...

Can you explain a little more about your routed setup ? In particular,
are you trying to use the same IP address range for VMs and your LAN,
and thus just route a handful of IPs ?

Basically yes: This is a server in a data center with a couple of IPs that are assigned by my provider (no subnet). So I assign one IP to my host and route the others to libvirt interfaces so that my VMs can provide public services as well.

I need a routed setup due to MAC address filtering in the switches.

I know libvirt won't cope with the former scenario
currently, since as you say it would need to know which IPs to route.
We can deal with the separate-subnet scenario though&  that shouldn't
require any per-IP setup on the virt host

Actually there are not that many ipv4 addresses left so there are only 4 IPs included in my plan (used to be 1 + subnet with 6 usable IPs). Therefore I get only single IP addresses.

fs


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]