Hi Laine and Whit,
Thank you for the information. I will look into hooks -- this looks
like the right choice.
Best,
Irek
On 28.04.2011 18:15, Laine Stump wrote:
On 04/28/2011 10:56 AM, Whit Blauvelt wrote:
On Thu, Apr 28, 2011 at 10:41:11AM -0400, Laine Stump wrote:
On 04/28/2011 09:15 AM, Ireneusz Szcześniak wrote:
I would like to reach the VM on a specific port of the host
machine. Once the machinces are running, I can configure iptables
so that the port forwarding works, but after host reboots, other
rules are inserted (put in front of my rules), which disable my
rules. I guess these rules are put by libvirt, and so I'm writing
to this list.
Yes, these rules are put in by libvirt.
The iptables rules added by libvirt for virtual networks are
intended to fulfill the needs of 95% of users, but are not
configurable. To do what you want, you'll either need to construct
your own bridge (rather than relying on libvirt) and do all the
iptables and routing config outside of libvirt, or you may be able
to use libvirt execution hooks to add the rules at the appropriate
time. See: http://www.libvirt.org/hooks.html for details on libvirt
hook scripts.
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
If all you need to do is change that one rule to
"NEW,RELATED,ESTABLISHED"
iptables has an option to replace a rule.
This would have the side effect of generating a warning log the next
time libvirt brought down the network, and would also leave around the
old rule (libvirt remove's its rules when the network is stopped by
describing exactly the rule it created; if that exact rule doesn't exist
when the network is being stopped, it will give a warning, and also not
remove this "similar but different" rule).
Sorry I don't have the syntax at
my fingertips, but it should be simple enough to modify the rule on
system
startup after libvirt has built the initial ruleset, perhaps in rc.local.
That would be overridden any time libvirtd was restarted, or the virtual
network in question was stopped/restarted. That's why I suggested
looking into libvirt's hooks - with the proper hook, the extra iptables
commands could happen exactly when needed (I haven't checked to see if
"the proper hook" exists, but if not then "patches welcome" :-)
Whit
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
--
Ireneusz (Irek) Szczesniak
http://www.irkos.org