On 01/08/2014 01:43 PM, ZeroUno wrote: > Hi, > I'm using libvirt to manage some VMs on a CentOS host, and I need some > custom iptables rules to always be in place for some communications to > happen, e.g. between the VMs and the outside world in both directions. > > Some of these rules need to be at the top of the iptables chain, > otherwise the default rules added by libvirt would block the > communications I need. > So I cannot just add the rules in /etc/sysconfig/iptables, because > libvirt adds its own rules _before_ the rules contained in this config > file. > > I was looking at filters, but maybe not every rule can be made into a > filter? > Specifically, I need a rule for the POSTROUTING chain in the "nat" > table. Can it be added through filters? Correct. nwfilter can't add rules to the nat table. > > Also, regarding the "iptables restart problem" described in the last > paragraph at <http://libvirt.org/firewall.html>, is there really no > acceptable way to make libvirt add its rules back automatically upon > iptables/network restart? Take a look at this, it may help you: http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections (Recently libvirt gained the ability for an application to register functions that will be called when a network is defined/undefined/started/stopped, but using that would require an application to be running which registered the necessary callback functions; not nearly as simple as stuffing a shell script into /etc/libvirt/hooks (should we do that? Or are the shell script hooks considered passe with the advent of event callbacks?)) _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
