530879 – Please add an option to disable generation of iptables rules

Bug 530879 - Please add an option to disable generation of iptables rules

Summary: Please add an option to disable generation of iptables rules

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libvirt
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Veillard
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-10-25 19:38 UTC by Enrico Scholz
Modified:	2009-10-29 12:24 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-10-26 19:13:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Enrico Scholz 2009-10-25 19:38:44 UTC

Description of problem:

When using 'nat' network type (which is the only choice provided by virt-manager), libvirt adds own iptables rules.  These might be good for out-of-the-box installations but are unwanted in more complex setups where they lower security (especially because they are inserted into top of the default chains).


Please add a way to

a) disable generation of these rules completely, or

b) put them into own chains (e.g. FORWARD-libvirt) and change the standard Fedora firewall rules that they jump into these chains (which would be stubs at startup)

Current implementation won't survive a restart of the iptables configuration either.


Version-Release number of selected component (if applicable):

libvirt-0.6.2-18.fc11.x86_64

Comment 1 Daniel Berrangé 2009-10-25 23:25:16 UTC

It is already possible to get rid of these by removing the associated network

 virsh net-destroy default
 virsh net-autostart --disable default

will get rid of them.

Comment 2 Enrico Scholz 2009-10-25 23:47:07 UTC

but this will break all domains which are using the 'default' network as the associated bridge and dnsmasq won't be started.  It won't be possible to create new machines with 'virt-manager' because it can not find a network anymore.

Comment 3 Daniel Berrangé 2009-10-26 19:13:44 UTC

You can't have it both ways. If you want to use the default network, then the iptables rules are required, otherwise it won't work. If you don't want the iptables rules then you can't use the default network.

If you restart / break the libvirt iptables rules, then 'service libvirt reload' will recreate them

Comment 4 Ralf Ertzinger 2009-10-29 11:07:57 UTC

I agree that the rules may be neccessary, but I do not agree that they have to be created by libvirtd. I have, on several systems, replaced libvirtd by a custom compiled package which does not touch my iptables rules, because I manage those myself, and the rules added by libvird seriously interfere with the rest of my setup.

Being able to tell libvirtd that the admin will handle iptables would thus be nice.

Comment 5 Daniel Berrangé 2009-10-29 11:13:30 UTC

As I've said many times, if you don't want the iptables rules added then you don't use the default network functionality provided by libvirt, set it up yourself. It is not viable to support libvirt's virtual network capability with custom iptables rules.

Comment 6 Ralf Ertzinger 2009-10-29 12:24:47 UTC

Except that virt-manager will not let me use my hand defined bridges for virtual machines (unless I'm doing something wrong).

Note You need to log in before you can comment on or make changes to this bug.