Hi there, When creating a VM with a persistent virtual network, libvirt creates an XML file with firewall definitions and stores it in /etc/libvirt/<hypervisor>/networks/. The XML file is (to my knowledge) incompatible with iptables-restore. Therefore you can?t manage your firewall with other iptables (GUI) tools unless libvirt lets you a) import extra rules, b) has an option to export the XML rules into iptables-save format or c) something else. If a) , b) or c) is possible then this discussion is of course useless and I would be pleased to know how it?s done :) If not, then let?s get the discussion started. IMHO, saving rules into XML instead of using iptables-save is absurd since you?ll have to code stuff which is already coded. Also you?ll make it incompatible with the tools which are readily available. Why go for this approach and what do we get from it? Best regards, -Hansa -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20111212/23769316/attachment.htm>
On 12/12/2011 14:20, Hansa wrote> Hi there, > > When creating a VM with a persistent virtual network, libvirt creates > an XML file with firewall definitions and stores it in > /etc/libvirt/<hypervisor>/networks/. The XML file is (to my knowledge) > incompatible with iptables-restore. Therefore you can?t manage your > firewall with other iptables (GUI) tools unless libvirt lets you a) > import extra rules, b) has an option to export the XML rules into > iptables-save format or c) something else. If a) , b) or c) is possible > then this discussion is of course useless and I would be pleased to > know how it?s done :) > > If not, then let?s get the discussion started. > IMHO, saving rules into XML instead of using iptables-save is absurd > since you?ll have to code stuff which is already coded. Also you?ll > make it incompatible with the tools which are readily available. Why go > for this approach and what do we get from it? > > Best regards, > > -HansaBump... Why does libvirt use XML firewall rules?
Daniel P. Berrange
2011-Dec-14 09:22 UTC
[libvirt-users] Why does libvirt use XML firewall rules?
On Mon, Dec 12, 2011 at 02:19:38PM +0100, Hansa wrote:> Hi there, > > > > When creating a VM with a persistent virtual network, libvirt creates an XML > file with firewall definitions and stores it in > /etc/libvirt/<hypervisor>/networks/. The XML file is (to my knowledge) > incompatible with iptables-restore. Therefore you can?t manage your firewall > with other iptables (GUI) tools unless libvirt lets you a) import extra > rules, b) has an option to export the XML rules into iptables-save format or > c) something else. If a) , b) or c) is possible then this discussion is of > course useless and I would be pleased to know how it?s done :) > > If not, then let?s get the discussion started. > > IMHO, saving rules into XML instead of using iptables-save is absurd since > you?ll have to code stuff which is already coded. Also you?ll make it > incompatible with the tools which are readily available. Why go for this > approach and what do we get from it?The core goal of libvirt is to provide data formats which are independent of any particular implementation, so that they are portable across all hypervisors / OS / releases. If we uses iptables CLI as a data format, this would not be portable to Windows, BSD, OS-X. It would not even be portable to future Linux which may use the firewalld daemon over DBus instead of direct iptables rule manipulation. Furthermore the Fedora iptables-save/restore impl as it stands is really an unfixably broken design since it is designed around the idea of a statically configured firewall. Back in the real world, firewalls need to really dynamically change as services change on the host. This is why Fedora is aiming to kill it off by creating firewalld Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|