Suppress or control netfilter rules created by libvirtd
Oliver Schneider
Borbarad at gmxpro.net
Mon Dec 27 21:40:13 UTC 2010
Hi,
I'm running 10.04 LTS (x64) with latest updates applied. On the machine
in question I use kvm to host some virtual machines.
Now the problem is that I would like to DNAT some stuff through to a
virtual machine, but that machine is already covered by the (apparently
more generic) rules. However, the problem does not seem to be with the
nat table (PREROUTING chain) itself. The rules in there seem to work as
expected.
In the FORWARD chain I need to make it explicit what ports I want to
forward where (because my policy is set to drop). However, libvirtd
inserts its rules at the top of that chain after my rules get inserted
via post-up and post-down in /etc/network/interfaces, so these rules
take precedence over the rules I have in my script.
Now the question(s): is there a way to suppress the rules applied by
libvirtd or to make sure they are applied elsewhere in the chain?
Alternatively is there a way to "hook" this process of libvirtd starting
without too much customization that might blow up next time I do an
apt-get upgrade?
Currently I have to remove and then apply my rules again - manually - so
they take precedence.
Thanks,
// Oliver
More information about the ubuntu-users
mailing list