Re: [libvirt] Don't add iptables rules when creating networks

Felix Schwarz <felix.schwarz@xxxxxxxxxxxxxx> · Sun, 20 Dec 2009 23:52:47 +0100

After some more hours of trying to fix libvirt's behavior, I decided to fix 
this issue by patching libvirt. Patch for 0.6.3 attached. If there's hope 
getting something like that into the git repository, I can port it to 0.7 easily.

fs
diff -r 59b72393b8ce src/network_conf.c

--- a/src/network_conf.c	Sun Dec 20 22:06:05 2009 +0100
+++ b/src/network_conf.c	Sun Dec 20 22:08:12 2009 +0100
@@ -415,6 +415,13 @@
             def->forwardType = VIR_NETWORK_FORWARD_NAT;
         }
 
+        tmp = virXPathString(conn, "string(./forward[1]/@adjustFirewall)", ctxt);
+        if (tmp) {
+            def->adjustFirewall = (STREQ(tmp, "off") ? 0 : 1);
+        } else {
+            def->adjustFirewall = 1;
+        }
+        VIR_FREE(tmp);
 
         def->forwardDev = virXPathString(conn, "string(./forward[1]/@dev)", ctxt);
     } else {
@@ -581,7 +588,9 @@
             } else {
                 virBufferAddLit(&buf, "  <forward");
             }
-            virBufferVSprintf(&buf, " mode='%s'/>\n", mode);
+            virBufferVSprintf(&buf, " mode='%s'", mode);
+            virBufferVSprintf(&buf, " adjustFirewall='%s'", def->adjustFirewall ? "on" : "off");
+            virBufferAddLit(&buf, "/>\n");
         }
     }
 
diff -r 59b72393b8ce src/network_conf.h
--- a/src/network_conf.h	Sun Dec 20 22:06:05 2009 +0100
+++ b/src/network_conf.h	Sun Dec 20 22:08:12 2009 +0100
@@ -68,6 +68,7 @@
 
     int forwardType;    /* One of virNetworkForwardType constants */
     char *forwardDev;   /* Destination device for forwarding */
+    int adjustFirewall : 1;   /* If libvirt should add/remove iptables rules */
 
     char *ipAddress;    /* Bridge IP address */
     char *netmask;
diff -r 59b72393b8ce src/network_driver.c
--- a/src/network_driver.c	Sun Dec 20 22:06:05 2009 +0100
+++ b/src/network_driver.c	Sun Dec 20 22:08:12 2009 +0100
@@ -664,6 +664,10 @@
                       struct network_driver *driver,
                       virNetworkObjPtr network) {
     int err;
+    
+    if (! network->def->adjustFirewall) {
+        return 1;
+    }    
 
     /* allow DHCP requests through to dnsmasq */
     if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 67))) {
@@ -758,6 +762,11 @@
 static void
 networkRemoveIptablesRules(struct network_driver *driver,
                          virNetworkObjPtr network) {
+    
+    if (! network->def->adjustFirewall) {
+        return;
+    }
+    
     if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
         iptablesRemoveForwardMasquerade(driver->iptables,
                                         network->def->network,
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



