[libvirt] Don't add iptables rules when creating networks
Daniel Dehennin
daniel.dehennin at baby-gnu.org
Sun Jun 13 11:24:15 UTC 2010
Hello,
> Can you outline how your desired configuration for libvirt NAT mode is
> different from what libvirt already does ? The goal for this is to be
> totally zero-conf, so that fact that you can't use the default setup
> shows something is lacking in our impl & I'd prefer to identify what
> that is rather than blindly disabling it. In addition the libvirt
> rules are written to try & ensure that they only impact traffic
> to/from the subnet that is configured in the libvirt network, to avoid
> causing problems for other rules you might have already configured.
I opened a bug report[1] for this too, doing the right thing for
out-of-the-box configuration is ok, but everything should be opt-out and
manually configurable.
I add sanity-check rules at top of my netfilter chains and when a
libvirt network start it's not "protected" by theses rules.
It's like my bug report on dnsmasq[2], I already have a complete
DHCP/DNS-with-LDAP-backend configuration for the subnet, I don't need it
but can not opt-out the feature.
This disempower the user/administrator, which I think is bad.
So, what I whould like to see:
1. Automatic configuration for out-of-the-box setup
2. Opt-out all the automatic configurations
3. Manually configurable, with pre-up(before), up(doing it),
post-up(after) and their down counterparts.
Please.
Footnotes:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568790
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549183
--
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100613/f43b679d/attachment-0001.sig>
More information about the libvir-list
mailing list