libvirt installs firewall rules on package upgrades

Not to confuse the matter, but here is my network template for the network (the other parts of how things work is in my quagga config):

nafallo@pony:~$ cat /etc/libvirt/qemu/networks/bklabs.xml
<network>
  <name>bklabs</name>
  <bridge name="bklabs"/>
  <forward mode="route"/>
  <ip address="91.194.67.9" netmask="255.255.255.255"/>
</network>

I should have mentioned this is Ubuntu 10.04 LTS, fully up-to-date. I had the same problem on 8.04 LTS and 8.10, and haven't tried any other versions.

Thanks for reporting this bug. I'm not quite sure why this is happening. Do you have any other networks defined? Are the files in /var/lib/libvirt/network/ the same as thos in /etc/libvirt/qemu/network?

Does the same thing happen if you do /etc/init.d/libvirt-bin restart? And if you reboot?

nafallo@pony:/etc/libvirt/qemu/networks$ ls -l *
-rw-r--r-- 1 root root 151 2009-01-20 22:52 bklabs.xml
lrwxrwxrwx 1 root root 10 2010-11-19 20:06 default.xml -> bklabs.xml
-rw-r--r-- 1 root root 231 2011-03-15 22:23 default.xml.dpkg-new
-rw-r--r-- 1 root root 153 2008-09-15 22:39 lchost.xml

autostart:
total 0
lrwxrwxrwx 1 root root 14 2011-03-31 16:14 default.xml -> ../default.xml

nafallo@pony:~$ sudo diff -ruN /etc/libvirt/qemu/networks/bklabs.xml /var/lib/libvirt/network/bklabs.xml
--- /etc/libvirt/qemu/networks/bklabs.xml 2009-01-20 22:52:22.000000000 +0000
+++ /var/lib/libvirt/network/bklabs.xml 2010-05-20 20:21:13.000000000 +0100
@@ -1,6 +1,8 @@
 <network>
   <name>bklabs</name>
- <bridge name="bklabs"/>
- <forward mode="route"/>
- <ip address="91.194.67.9" netmask="255.255.255.255"/>
+ <uuid>7c33807a-4c59-b922-5ef6-10d030ab496b</uuid>
+ <forward mode='route'/>
+ <bridge name='bklabs' stp='on' delay='0' />
+ <ip address='91.194.67.9' netmask='255.255.255.255'>
+ </ip>
 </network>

nafallo@pony:~$ sudo service libvirt-bin restart && sudo iptables -vnL && sudo iptables -F
libvirt-bin start/running, process 28098
Chain INPUT (policy ACCEPT 3962M packets, 2383G bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp -- bklabs * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    0 0 ACCEPT tcp -- bklabs * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    0 0 ACCEPT udp -- bklabs * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
    0 0 ACCEPT tcp -- bklabs * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

Chain FORWARD (policy ACCEPT 14G packets, 11T bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * bklabs 0.0.0.0/0 91.194.67.9
    0 0 ACCEPT all -- bklabs * 91.194.67.9 0.0.0.0/0
   42 4683 ACCEPT all -- bklabs bklabs 0.0.0.0/0 0.0.0.0/0
  583 48146 REJECT all -- * bklabs 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
  415 24630 REJECT all -- bklabs * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 2319M packets, 1710G bytes)
 pkts bytes target prot opt in out source destination

I'm not going to reboot, since that's very non-trivial with this host.

Sure enough.

Looking at http://libvirt.org/formatnetwork.html#examplesRoute, I suspect this is viewed as a feature, since, if you did have some existing firewall rules, this would punch the needed holes through that to let the VMs work as expected. Agreed it wouldn't hurt to make that more configurable. However that would require a patch to be developed upstream.

You should be able to work around this by editing /etc/init/libvirt-bin.conf, and adding

post-start exec iptables -F

Thanks again for opening this bug.

After talking to upstream (specifically thanks to laine on #virt :), the firewall rules are a feature of the libvirt networks. To do what you want, you should create the bridge yourself (i.e. using /etc/network/interfaces), and then specify that the vm's attach to that. So you would have no libvirt networks at all. The VM xml to do that would look like:

<interface type='bridge'>
 <source bridge='br0'/>
 <mac address='00:16:3e:1a:b3:4a'/>
</interface>