Michal Privoznik <mprivozn@xxxxxxxxxx> wrote: > On 10/18/2018 10:14 AM, Daniel P. Berrangé wrote: > > On Wed, Oct 17, 2018 at 05:57:11PM +0200, Roman Vesely wrote: > >> Hi everyone, > >> > >> I use Debian 9.5 Stretch and NFTABLES as a firewall. > >> Using NFTABLES together with IPTABLES is not recommended, > >> but libvirt depends on IPTABLES. > >> > >> Is it safe to run libvirt + kvm + virsh without IPTABLES? > >> > >> By the doc https://libvirt.org/firewall.html, > >> IPTABLES are used for settingup filtering which I do not need. > > > > Currently it is *NOT* ok. > > Pardon me if I misread the question but I think Roman is actually > asking if he turns off iptables in libvirt. Thank you Michal, you said it exactly. I only use nftables. I need to remove iptables and set libvirt to work without them. > Well, that would work but > all the forwarding rules, rules that prevent one domain to see > traffic of the other, etc - you would have to do them yourself. Or > trust your guests. Yes, I understand and I will create rules manually with NFTABLES. And I also manage all kvm guests. I've found some tips on how to "turn off" iptables in libvirt: virsh net-destroy default virsh net-autostart --disable default Is this the right and safe way to remove all dependency to iptables? Thank you, Roman _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
