Bug 530879

Summary: Please add an option to disable generation of iptables rules
Product: [Fedora] Fedora Reporter: Enrico Scholz <rh-bugzilla>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: berrange, clalance, crobinso, itamar, jforbes, redhat-bugzilla, veillard, virt-maint
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-26 15:13:44 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Enrico Scholz 2009-10-25 15:38:44 EDT
Description of problem:

When using 'nat' network type (which is the only choice provided by virt-manager), libvirt adds own iptables rules.  These might be good for out-of-the-box installations but are unwanted in more complex setups where they lower security (especially because they are inserted into top of the default chains).

Please add a way to

a) disable generation of these rules completely, or

b) put them into own chains (e.g. FORWARD-libvirt) and change the standard Fedora firewall rules that they jump into these chains (which would be stubs at startup)

Current implementation won't survive a restart of the iptables configuration either.

Version-Release number of selected component (if applicable):

Comment 1 Daniel Berrange 2009-10-25 19:25:16 EDT
It is already possible to get rid of these by removing the associated network

 virsh net-destroy default
 virsh net-autostart --disable default

will get rid of them.
Comment 2 Enrico Scholz 2009-10-25 19:47:07 EDT
but this will break all domains which are using the 'default' network as the associated bridge and dnsmasq won't be started.  It won't be possible to create new machines with 'virt-manager' because it can not find a network anymore.
Comment 3 Daniel Berrange 2009-10-26 15:13:44 EDT
You can't have it both ways. If you want to use the default network, then the iptables rules are required, otherwise it won't work. If you don't want the iptables rules then you can't use the default network.

If you restart / break the libvirt iptables rules, then 'service libvirt reload' will recreate them
Comment 4 Ralf Ertzinger 2009-10-29 07:07:57 EDT
I agree that the rules may be neccessary, but I do not agree that they have to be created by libvirtd. I have, on several systems, replaced libvirtd by a custom compiled package which does not touch my iptables rules, because I manage those myself, and the rules added by libvird seriously interfere with the rest of my setup.

Being able to tell libvirtd that the admin will handle iptables would thus be nice.
Comment 5 Daniel Berrange 2009-10-29 07:13:30 EDT
As I've said many times, if you don't want the iptables rules added then you don't use the default network functionality provided by libvirt, set it up yourself. It is not viable to support libvirt's virtual network capability with custom iptables rules.
Comment 6 Ralf Ertzinger 2009-10-29 08:24:47 EDT
Except that virt-manager will not let me use my hand defined bridges for virtual machines (unless I'm doing something wrong).