Description of problem: When using 'nat' network type (which is the only choice provided by virt-manager), libvirt adds own iptables rules. These might be good for out-of-the-box installations but are unwanted in more complex setups where they lower security (especially because they are inserted into top of the default chains). Please add a way to a) disable generation of these rules completely, or b) put them into own chains (e.g. FORWARD-libvirt) and change the standard Fedora firewall rules that they jump into these chains (which would be stubs at startup) Current implementation won't survive a restart of the iptables configuration either. Version-Release number of selected component (if applicable): libvirt-0.6.2-18.fc11.x86_64
It is already possible to get rid of these by removing the associated network virsh net-destroy default virsh net-autostart --disable default will get rid of them.
but this will break all domains which are using the 'default' network as the associated bridge and dnsmasq won't be started. It won't be possible to create new machines with 'virt-manager' because it can not find a network anymore.
You can't have it both ways. If you want to use the default network, then the iptables rules are required, otherwise it won't work. If you don't want the iptables rules then you can't use the default network. If you restart / break the libvirt iptables rules, then 'service libvirt reload' will recreate them
I agree that the rules may be neccessary, but I do not agree that they have to be created by libvirtd. I have, on several systems, replaced libvirtd by a custom compiled package which does not touch my iptables rules, because I manage those myself, and the rules added by libvird seriously interfere with the rest of my setup. Being able to tell libvirtd that the admin will handle iptables would thus be nice.
As I've said many times, if you don't want the iptables rules added then you don't use the default network functionality provided by libvirt, set it up yourself. It is not viable to support libvirt's virtual network capability with custom iptables rules.
Except that virt-manager will not let me use my hand defined bridges for virtual machines (unless I'm doing something wrong).