[Libvir] [PATCH] Re: iptables masquerade rule overexpansive
Charles Duffy
cduffy at messageone.com
Thu Mar 27 20:35:54 UTC 2008
Daniel P. Berrange wrote:
> Instead of having the separate ACCEPT rule I think it would be sufficient
> to replace the 0.0.0.0/0 target with ! 192.168.65.0/24, eg
>
> iptables -t nat -A POSTROUTING
> --source 192.168.65.0/24
> --destination ! 192.168.65.0/24
> -j MASQUERADE
>
> so it will masquerade traffic which is leaving the ip range of the virtual
> network only, and leave ip traffic between the VMs & VM<->host alone.
I considered that -- but while it will work as long as the default
forward rule is ACCEPT, it could result in hosts being unable to
communicate with each other if the default rule for the table is otherwise.
That said, it's certainly easier... patch attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libvirt-0.4.0-masq_exclude_local_traffic.patch
Type: text/x-diff
Size: 1014 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20080327/823fe4d3/attachment-0001.bin>
More information about the libvir-list
mailing list