Bug 533193

Summary: RFE: network: Add iptables rules to a custom chain - allows users to insert rules before libvirt's rules
Product: [Community] Virtualization Tools Reporter: Jeremy Katz <katzj>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: ayers, berrange, clalance, crobinso, ikseno, itamar, jforbes, kyleterrien, lool, mpatocka, veillard, virt-maint, xen-maint, yalzhang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-17 21:14:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 636029    

Description Jeremy Katz 2009-11-05 15:16:16 UTC 
The default iptables rules added by libvirt preclude having any rules set up on your system to forward traffic to a guest as they include putting REJECT rules into the FORWARD chain
Comment 1 Daniel Berrangé 2009-11-05 17:26:50 UTC 
We need to re-arrange the way we add iptables rules to address this in a good manner.

Currently we put them directly into the INPUT/OUTPUT/FORWARD chains, inserting at position 0. This makes it hard for admins to put other rules ahead of our own, since every time we start a new guest its rules get placed ahead of custom rules.

What we need todo is to move all our rules to a custom chain.  libvirt_INPUT, libvirt_OUTPUT and libvirt_FORWARD. When libvirtd starts up we should create those 3 chains and insert them at position 0 in the main INPUT, OUTPUT & FORWARD chains.  When starting VMs the per-VM rules should be in our custom chain. 

This will allow admins to add their own rules to the main INPUT, OUTPUT, FORWARD chains and guarentee they'll always be ahead of any of libvirts per-VM rules.
Comment 2 Bug Zapper 2009-11-16 15:09:07 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Mark McLoughlin 2009-11-19 10:23:40 UTC 
Makes sense, moving upstream - it's been like this for a long time now, so there's no particular point in tracking it as a Fedora bug
Comment 4 David Ayers 2012-03-06 05:59:10 UTC 
I'm confused about the status of this issue.  Does "moving upstream" mean:
A) a separate bug was submitted in another bug tracker
B) a change in product/component with this remaining the primary bug

In case of A) could we have a URL to the bug?
In case of B) what is the status, has anyone worked on this?

Could the suggestion in comment 1 be implemented in existing installations via manual configuration and if so how should one go about it?
Comment 5 Ján Tomko 2015-03-17 16:58:56 UTC 
*** Bug 972368 has been marked as a duplicate of this bug. ***
Comment 6 Cole Robinson 2016-03-20 22:50:52 UTC 
AFAICT this is still relevant with latest libvirt. firewalld may help here, but not all distros use firewalld
Comment 7 Daniel Berrangé 2018-11-01 12:56:04 UTC 
This series moves all libvirt rules into separate chains:

  https://www.redhat.com/archives/libvir-list/2018-November/msg00018.html

This makes it practical to install rules ahead of libvirt's rules in iptables default chains, without risk of libvirt constantly inserting more rules in front.
Comment 8 Cole Robinson 2019-07-17 21:14:36 UTC 
That code landed upstream, so I guess this is fixed nowadays