[Pkg-libvirt-maintainers] Bug#636712: Bug#636712: libvirt-bin: cannot create rule since iptables tool is missing with custom nwfilters

Luca Capello luca at pca.it
Tue Aug 9 15:45:09 UTC 2011 

clone 636712 -1
retitle -1 libvirt-bin: please provide README.ifupdown for network integration
severity -1 wishlist
thanks

Hi there!

On Tue, 09 Aug 2011 00:47:28 +0200, Guido Günther wrote:
> On Fri, Aug 05, 2011 at 05:05:23PM +0200, Luca Capello wrote:
>> I would like to add network filters [1] to accept various kind of
>> incoming traffics (e.g. HTTP) and thus I read the documentation at:
>> 
>>   <http://libvirt.org/formatnwfilter.html>
>> 
>> [1] despite myself not being a firewall guru, I fail to understand why
>>     we need yet another format to define filters instead of using the
>>     iptables syntax by default or adding something like the ifupdown's
>>     options (in this case post-up and pre-down)...
>
> Getting the variable replacements and priorities implemented is easier
> with XML.

To which I fully agree, I just do not see the point in having multiple
formats in general (thus not specific to Debian or libvirt): this is the
third I know, after barebone iptables/ifupdown and OpenWrt's UCI [a].

[a] <http://wiki.openwrt.org/doc/uci>

> I agree that having this better integrated into ifupdown would be nice
> though.

I cloned the bug, please follow-up on the new one given that I am
working on it :-)

The major problem IMHO is to identify both the network interface and the
IP, given that with the default configuration all virtual interfaces
belong to the same bridge.  In case we would also want the MAC address,
`man interfaces` contains the following hint:

	See the get-mac-address.sh script  in the examples directory
	for an  example of such  a mapping script.  See  also Debian
	bug #101728.

Once these information are available, the /e/n/i stanza should be the
following (if I have correctly read `man interfaces`):

  allow-hotplug vnet0
  iface vnet0 inet manual
        post-up /path/to/your/script.sh up
        pre-down /path/to/your/script.sh down

Leave me some more tests and I should come up with a polished and tested
README.ifupdown ;-)

Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20110809/df1cb2f1/attachment.pgp>

More information about the Pkg-libvirt-maintainers mailing list