On 03/25/2013 05:12 PM, Benoit Friry wrote: > On 03/25/2013 16:21, Eric Blake wrote: >> On 03/25/2013 03:09 AM, Benoit Friry wrote: >>> Examples: - editing interfaces with virsh or virt-manager >>> modifies my /etc/network/interfaces. It's not clear at first >>> glance that I can even cut myself from the host when editing >>> remotely. The initial file is not even saved. >> The initial file _is_ saved if you properly use the 'virsh >> iface-begin' command before making any changes, then 'virsh >> iface-commit' if you are happy with the changes. 'virsh >> iface-rollback' will revert you to a previous saved state, and >> since we know that an improper change can cut off connectivity, we >> also set things up so that a host reboot will do an implicit 'virsh >> iface-rollback' on any uncommitted changes. > I did not understood the purpose of this commands. Unfortunately, they > are not available in virt-manager. virsh iface-begin saves the current state of config for all network interfaces so that we can restore it if the new config fails virsh iface-commit marks the new state of config as "okay" and removes the backup config that had been saved. virsh iface-rollback restores the original config that was saved with virsh iface-begin (this also automatically happens if you reboot the host after calling virsh iface-begin but without calling virsh iface-commit) virt-manager is "behind" libvirt in many areas, this is just one; there has been a lack of people doing active development on virt-manager for a year or so now; hopefully that will be changing soon :-) > >>> - starting default network (nat) adds rules in netfilter. I have >>> not seen how to create another network nat conf without calling >>> clean-traffic nwfilter (it is not explicit in network XML file). nwfilter rules are applied to individual *guest interfaces* by adding a <filterref> element to the guest's <interface> element. They are completely unrelated to the netfilter rules added when a libvirt network is started. The rules added for a libvirt virtual network change depending on the setting of "<forward mode='xxx'>" in the network config 1) for <forward mode='route'> a set of rules allowing all traffic in both directions is added 2) for <forward mode='nat'> rules are added to allow outbound traffic from the guests to any destination, prevent inbound traffic from anywhere except a) the host and b) other guests attached to the same network, AND to mangle the source address of packets outbound to places beyond the host (so that they appear to be coming from the host itself). 3) if there is *no* <forward> (aka an "isolated" network), rules are added to allow traffic only between guests on the same network and the host, but block all other traffic. The rules for each of these cases is hardcoded (and also very simplistic) and can't be configured in any more finely grained manner. >>> Is it hardcoded ? >> What distro are you using? The clean-traffic nwfilter is not >> installed by default on Fedora, so I'm wondering if you are hitting >> a distro-specific add-on, or something that is added by a higher >> layer of the virt stack than just libvirt. Libvirt's own NAT >> netfilter rules are required for out-of-the-box NAT to a guest, but >> no one says you are forced to use NAT; you can design your own >> bridge and take over the netfilter rules yourself if you don't want >> libvirt messing with iptables. > Debian wheezy, libvirt 0.9.12. > > Debian patches are listed on > http://patch-tracker.debian.org/package/libvirt/0.9.12-11 > > I do not see anything modifying that part. I can be wrong. > >>> I think it would be nice: - to be alerted before any host >>> modification, >> What did you have in mind? Patches are welcome if you can come up >> with a proposal. > For a beginning, I think it may be valuable to list such behavior in > the README. > > http://libvirt.org/git/?p=libvirt.git;a=blob_plain;f=README;hb=HEAD > > On Debian, and maybe in upstream, clean-traffic nwfilter is activated > for every nat network... But without being listed in the network XML > configuration. That is not true. No nwfilter rule is added for *any* "network" ever. They are added for individual guests, and only when the guest's XML specifically says to do that. My guess is that you're mistaking some of the rules added for NAT as originating from the clean-traffic filter. Can you paste the relevant parts of the output of "iptables -S" and indicate which you believe to be coming from nwfilter? > >>> - to be able to change the templates, for instance: - not >>> including any nwfilter when creating a network, - script called >>> when adding a file in a dir pool, - and so on. > Another example: what if I want to use BIND9 instead of dnsmasq? BIND9 > has a dns64 capability, dnsmasq has not. > > dnsmasq, radvd, brctl are hardcoded. Don't you think it would be > better to call a helper script, that can be tweaked by admins? No. That would be a nightmare to support; we specifically avoid doing something that free-form. If you would like a network driver that uses different utilities in place of dnsmasq and radvd, the proper way to do that is with a different network driver to be built in place of src/network/bridge_driver.c. But before you go to that trouble, are you certain that dnsmasq still doesn't have what you need? Recent versions of libvirt (since 1.0.1) have support for many new IPv6 features of dnsmasq 2.66+, including DHCP6, and I think dnsmasq has had support for IPv6 DNS resolution for quite a long time. (I couldn't figure out from a quick google search whether or not dnsmasq directly supports DNS64, or if that may be unnecessary if the dns server upstream from dnsmasq has DNS64 support.) (BTW, radvd has been replaced in newer libvirt versions by similar functionality in newer versions of dnsmasq, where available, and I'm pretty sure we've eliminated all use of brctl in favor of directly using iotctl() some time ago as well.) _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users