Comment 10 for bug 595501

We need to re-arrange the way we add iptables rules to address this in a good manner.

Currently we put them directly into the INPUT/OUTPUT/FORWARD chains, inserting at position 0. This makes it hard for admins to put other rules ahead of our own, since every time we start a new guest its rules get placed ahead of custom rules.

What we need todo is to move all our rules to a custom chain. libvirt_INPUT, libvirt_OUTPUT and libvirt_FORWARD. When libvirtd starts up we should create those 3 chains and insert them at position 0 in the main INPUT, OUTPUT & FORWARD chains. When starting VMs the per-VM rules should be in our custom chain.

This will allow admins to add their own rules to the main INPUT, OUTPUT, FORWARD chains and guarentee they'll always be ahead of any of libvirts per-VM rules.