On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote: > At first I used the 'default' network (with a different rfc1918 > network)... everything was kinda working until I rebooted the host... at > that point I lost connectivity between the outside world and the VMs. > From inside the host I had no trouble connecting to the VMs. > > If I restarted shorewall (which actually cleans all iptables rules and > regenerate them according to its configuration) everything works fine. > After sending a report and some debugging in the shorewall mailing list, > it was clear that libvirt was adding rules to iptables.
Yes, the libvirt virtual network capability adds iptables to control traffic to/from the virtual network. > After reading a bit > (http://libvirt.org/formatnetwork.html#examplesPrivate) I created a new > network called "isolated". I stopped default (and disabled its > autostart), and defined and started isolated. > > This is the content of isolated.xml: > <network> > <name>isolated</name> > <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid> > <bridge name='virbr%d' stp='on' forwardDelay='0' /> > <ip address='10.3.14.1' netmask='255.255.255.0'> > <dhcp> > <range start='10.3.14.128' end='10.3.14.254' /> > </dhcp> > </ip> > </network> > > I modified my VMs to use isolated rather than default, but rules keep > being added to iptables when libvirt-bin is started. > > Is there a way to convince libvirt not to add these rules? No, libvirt needs to add the rules here because otherwise the guest virtual network would not be guarenteed to be isolated from the host network. If this is a problem, then the best bet is to not use the virtual network capability. Instead create a bridge device yourself using distro network scripts, and do whatever routing/firewalling setup you need for shorwall to work Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libviremail@example.com https://www.redhat.com/mailman/listinfo/libvir-list