After some more hours of trying to fix libvirt's behavior, I decided to fix
this issue by patching libvirt. Patch for 0.6.3 attached. If there's hope
getting something like that into the git repository, I can port it to 0.7 easily.
fs
diff -r 59b72393b8ce src/network_conf.c
--- a/src/network_conf.c Sun Dec 20 22:06:05 2009 +0100
+++ b/src/network_conf.c Sun Dec 20 22:08:12 2009 +0100
@@ -415,6 +415,13 @@
def->forwardType = VIR_NETWORK_FORWARD_NAT;
}
+ tmp = virXPathString(conn, "string(./forward[1]/@adjustFirewall)",
ctxt);
+ if (tmp) {
+ def->adjustFirewall = (STREQ(tmp, "off") ? 0 : 1);
+ } else {
+ def->adjustFirewall = 1;
+ }
+ VIR_FREE(tmp);
def->forwardDev = virXPathString(conn, "string(./forward[1]/@dev)",
ctxt);
} else {
@@ -581,7 +588,9 @@
} else {
virBufferAddLit(&buf, " <forward");
}
- virBufferVSprintf(&buf, " mode='%s'/>\n", mode);
+ virBufferVSprintf(&buf, " mode='%s'", mode);
+ virBufferVSprintf(&buf, " adjustFirewall='%s'",
def->adjustFirewall ? "on" : "off");
+ virBufferAddLit(&buf, "/>\n");
}
}
diff -r 59b72393b8ce src/network_conf.h
--- a/src/network_conf.h Sun Dec 20 22:06:05 2009 +0100
+++ b/src/network_conf.h Sun Dec 20 22:08:12 2009 +0100
@@ -68,6 +68,7 @@
int forwardType; /* One of virNetworkForwardType constants */
char *forwardDev; /* Destination device for forwarding */
+ int adjustFirewall : 1; /* If libvirt should add/remove iptables rules */
char *ipAddress; /* Bridge IP address */
char *netmask;
diff -r 59b72393b8ce src/network_driver.c
--- a/src/network_driver.c Sun Dec 20 22:06:05 2009 +0100
+++ b/src/network_driver.c Sun Dec 20 22:08:12 2009 +0100
@@ -664,6 +664,10 @@
struct network_driver *driver,
virNetworkObjPtr network) {
int err;
+
+ if (! network->def->adjustFirewall) {
+ return 1;
+ }
/* allow DHCP requests through to dnsmasq */
if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge,
67))) {
@@ -758,6 +762,11 @@
static void
networkRemoveIptablesRules(struct network_driver *driver,
virNetworkObjPtr network) {
+
+ if (! network->def->adjustFirewall) {
+ return;
+ }
+
if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
iptablesRemoveForwardMasquerade(driver->iptables,
network->def->network,
--
Libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list
