On Mon, 2008-08-04 at 14:28 -0700, David Lutterkort wrote: > On Thu, 2008-07-31 at 09:55 +0100, Daniel P. Berrange wrote: > > The libvirt default networking capability will automatically setup the > > correct iptables rules to allow outbound NAT based connectivity for guest > > VMs. If this wasn't working there are two likely causes: > > > > - You run 'service iptables stop' which blew away the rules libvirt > > added > > This is a terrible situation; it will be a big surprise to many > sysadmins and lead to lots of confusion Agreed. > - is this only temporary until iptables/lokkit has facilities for > cleaner addition of persistent firewall rules ? There's no huge technical issue here AFAICS. We just need a hook for libvirt to persistently register its rules with iptables. The main objection seems to be the old "how do you prevent different sets of rules from conflicting" chestnut. I don't see that being a serious issue in practice - there are all sorts of other global namespaces that apps manage to share effectively. Feel free to take a look at this; I lose motivation for fixing this every time I go back and discuss it with the maintainer: https://bugzilla.redhat.com/227011 The truly depressing aspect of all this is that any fix we come up with would be Fedora specific anyway - e.g. /etc/sysconfig/iptables.d Cheers, Mark. -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list