[Pkg-libvirt-maintainers] Bug#637219: Bug#636712: Bug#636712: libvirt-bin: cannot create rule since iptables tool is missing with custom nwfilters

Luca Capello luca at pca.it
Mon Apr 23 13:48:52 UTC 2012 

notfixed 637219 0.9.4-1
found 637219 0.9.11-2
tags 637219 + patch
thanks

Hi Guido!

On Tue, 09 Aug 2011 19:01:02 +0200, Guido Günther wrote:
> On Tue, Aug 09, 2011 at 05:45:09PM +0200, Luca Capello wrote:
>> Once these information are available, the /e/n/i stanza should be the
>> following (if I have correctly read `man interfaces`):
>> 
>>   allow-hotplug vnet0
>>   iface vnet0 inet manual
>>         post-up /path/to/your/script.sh up
>>         pre-down /path/to/your/script.sh down
>> 
>> Leave me some more tests and I should come up with a polished and tested
>> README.ifupdown ;-)
> I'd be happy to add that but wouldn't it be nicer to use libvirt's
> matching capabilities?

I finally came back to this issue.  I should say that after a second
thought the problem is not actually the one I described at the beginning
(i.e. add network filters to accept various kind of incoming traffics),
but how to allow port forwarding from the host to the guest.

Reading through the libvirt's resources this is not possible with
network filters and the default NAT virtual network, but one should use
hooks instead:

  <http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections>
  <http://www.libvirt.org/hooks.html>

  <https://www.redhat.com/archives/libvirt-users/2011-April/msg00114.html>
  <https://www.redhat.com/archives/libvir-list/2010-February/msg00243.html>

I can understand why this kind of configurations should not be specified
in the guest XML: simply importing this file into another libvirtd
instance would modify the host's iptables setup, which is wrong.
However, I still fail to understand the full logic behind this: there is
already a way to do such configuration, via the hook script, so why not
integrating this into the nwfilter and letting use libvirt's matching
capabilities (as you suggested)?  Especially because restarting libvirtd
causes the iptables rules for the default NAT virtual network to be
inserted *before* any other rule:

  <https://bugzilla.redhat.com/show_bug.cgi?id=433484>

Never mind, attached a patch against the Git repository.  Please note
that I did not publicize the fact that the hook scripts can be used for
whatever command you would like to execute ;-)

Thx, bye,
Gismo / Luca

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debian-hook-qemu-port-forwarding-637219-new-file.patch
Type: text/x-diff
Size: 4555 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20120423/9f9aada8/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20120423/9f9aada8/attachment.pgp>

More information about the Pkg-libvirt-maintainers mailing list