libvirt users - Jan 2014 - Re: Best practice for custom iptables rules

> ...also, it appears that the hook script /etc/libvirt/hooks/daemon to be
> called when the libvirt daemon is started is actually called _before_
> libvirt adds its own iptables rules, because I am not able to insert my
> custom rule at the top of the chain.
>
how about this daemon hook script?

#!/bin/bash
#
insert_rule() {
    sleep 2
    iptables -t nat -D CUSTOM_RULE
    iptables -t nat -I CUSTOM_RULE
}


case $2 in
    start|reload)
        insert_rule  >/dev/null 2>&1 &
        ;;
    *)
        :
        ;;
esac

Il 13/01/14 04:06, Gao Yongwei ha scritto:
> how about this daemon hook script?
>
> #!/bin/bash
> #
> insert_rule() {
>      sleep 2
>      iptables -t nat -D CUSTOM_RULE
>      iptables -t nat -I CUSTOM_RULE
> }
[...]

Thanks, I already tried inserting a delay with "sleep" but it
didn't
change anything, as the hook script is not processed in parallel with 
other operations: libvirt waits until the hook script has been 
completed, before proceeding with the creation of its own iptables rules.

-- 
01

> Thanks, I already tried inserting a delay with "sleep" but it
didn't
> change anything, as the hook script is not processed in parallel with other
> operations: libvirt waits until the hook script has been completed, before
> proceeding with the creation of its own iptables rules.
plz take a closer look at my script, and have a real try with it.