On 08/21/2015 11:50 AM, Patrick Hinkley wrote:
I believe I've found an explanation regarding the VM issue you mention: http://www.atrixnet.com/red-hat-libvirt-kvm-iptables-what-to-do-when-your-kv...
If I understand correctly, the issue is that temporary rules inserted into iptables by other applications are lost when any of the following are called:
It's more than that. new rules inserted with iptables -I will override the rules aded by libvirt, often causing trafic to miss libvirt's rules.
service iptables stop; service iptables start; service iptables restart; iptables-restore < /etc/sysconfig/iptables;
This issue would not apply when inserting your own temporary rules by such as: iptables -A
The issue would also not apply when making your temporary rules permanent via: service iptables save
"service iptables save" has its own problems. For starters, it will save *everything* that is currently in the in-memory rules, not just "what was previously saved + the rules you want saved". This could mean that some of the previous rules would be removed from the configuration (it something had for some reason temporarily removed them) or it could mean some extra rules that were intended to only be there temporarily would be permanently added (for example, if a libvirt virtual network is taken down, libvirt removes the iptables rules that it had previously added, but if you have saved those rules as you suggest above, then the next time your iptables service i restarted, all of those rules would be re-added, even though they are no longer applicable.
What it all comes down to is that without firewalld, there is no central controlling authority, so everybody steps all over everybody else. If all applications that need to modify the iptables rules go through firewalld, it is in a good position to assure that the various applications don't interfere with each others' rules.
(BTW, libvirt looks for the firewalld service, and always uses it if it is active).