[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Don't add iptables rules when creating networks



Hello,

> Can you outline how your desired configuration for libvirt NAT mode is
> different from what libvirt already does ? The goal for this is to be
> totally zero-conf, so that fact that you can't use the default setup
> shows something is lacking in our impl & I'd prefer to identify what
> that is rather than blindly disabling it. In addition the libvirt
> rules are written to try & ensure that they only impact traffic
> to/from the subnet that is configured in the libvirt network, to avoid
> causing problems for other rules you might have already configured.

I opened a bug report[1] for this too, doing the right thing for
out-of-the-box configuration is ok, but everything should be opt-out and
manually configurable.

I add sanity-check rules at top of my netfilter chains and when a
libvirt network start it's not "protected" by theses rules.

It's like my bug report on dnsmasq[2], I already have a complete
DHCP/DNS-with-LDAP-backend configuration for the subnet, I don't need it
but can not opt-out the feature.

This disempower the user/administrator, which I think is bad.

So, what I whould like to see:

1. Automatic configuration for out-of-the-box setup
2. Opt-out all the automatic configurations
3. Manually configurable, with pre-up(before), up(doing it),
   post-up(after) and their down counterparts.

Please.

Footnotes: 
[1]  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568790

[2]  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549183

-- 
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1

Attachment: pgpuwwZQRWPyj.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]