On Thu, Apr 02, 2009 at 10:16:13AM +0200, Ludwig Nussel wrote: > Daniel P. Berrange wrote: > > On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote: > > > [...] > > > I modified my VMs to use isolated rather than default, but rules keep > > > being added to iptables when libvirt-bin is started. > > > > > > Is there a way to convince libvirt not to add these rules? > > > > No, libvirt needs to add the rules here because otherwise the guest > > virtual network would not be guarenteed to be isolated from the host > > network. > > Messing with iptables rules isn't guaranteed to work either. Esp if the > existing firewall is re-run. SuSEfirewall2 for example runs when > interfaces come or go so it will kill any rules that someone added > behind it's back.
We have a similar issue with the Fedora equivalent of SuSSfirewall, and it provides a mechanism for us to register the set of rules we want, so when it is re-run, it re-adds our rules. As a failsafe, sending SIGHUP to libvirtd will make it re-add its rules so if there's some post-config hook for SuSEfirewall, it could be made to SIGHUP the libvirtd daemon. > What kind of iptables rules do you need to install? It depends on the particular config, but it is adding sets of rules against the IP range & bridge device config for the interface we add to allow / disallow forwarding of traffic. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvirfirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/libvir-list