Bug 533193
Summary: | RFE: network: Add iptables rules to a custom chain - allows users to insert rules before libvirt's rules | ||
---|---|---|---|
Product: | [Community] Virtualization Tools | Reporter: | Jeremy Katz <katzj> |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | CLOSED UPSTREAM | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | ayers, berrange, clalance, crobinso, ikseno, itamar, jforbes, kyleterrien, lool, mpatocka, veillard, virt-maint, xen-maint, yalzhang |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-17 21:14:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 636029 |
Description
Jeremy Katz
2009-11-05 15:16:16 UTC
We need to re-arrange the way we add iptables rules to address this in a good manner. Currently we put them directly into the INPUT/OUTPUT/FORWARD chains, inserting at position 0. This makes it hard for admins to put other rules ahead of our own, since every time we start a new guest its rules get placed ahead of custom rules. What we need todo is to move all our rules to a custom chain. libvirt_INPUT, libvirt_OUTPUT and libvirt_FORWARD. When libvirtd starts up we should create those 3 chains and insert them at position 0 in the main INPUT, OUTPUT & FORWARD chains. When starting VMs the per-VM rules should be in our custom chain. This will allow admins to add their own rules to the main INPUT, OUTPUT, FORWARD chains and guarentee they'll always be ahead of any of libvirts per-VM rules. This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Makes sense, moving upstream - it's been like this for a long time now, so there's no particular point in tracking it as a Fedora bug I'm confused about the status of this issue. Does "moving upstream" mean: A) a separate bug was submitted in another bug tracker B) a change in product/component with this remaining the primary bug In case of A) could we have a URL to the bug? In case of B) what is the status, has anyone worked on this? Could the suggestion in comment 1 be implemented in existing installations via manual configuration and if so how should one go about it? *** Bug 972368 has been marked as a duplicate of this bug. *** AFAICT this is still relevant with latest libvirt. firewalld may help here, but not all distros use firewalld This series moves all libvirt rules into separate chains: https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html This makes it practical to install rules ahead of libvirt's rules in iptables default chains, without risk of libvirt constantly inserting more rules in front. That code landed upstream, so I guess this is fixed nowadays |