[Libvir] [PATCH] Re: iptables masquerade rule overexpansive

Charles Duffy cduffy at messageone.com
Thu Mar 27 20:35:54 UTC 2008

Daniel P. Berrange wrote:
> Instead of having the separate ACCEPT rule I think it would be sufficient
> to replace  the target with  !, eg
> iptables -t nat -A POSTROUTING
>                 --source 
>                 --destination !
>                 -j MASQUERADE
> so it will masquerade traffic which is leaving the ip range of the virtual
> network only, and leave ip traffic between the VMs & VM<->host alone.

I considered that -- but while it will work as long as the default 
forward rule is ACCEPT, it could result in hosts being unable to 
communicate with each other if the default rule for the table is otherwise.

That said, it's certainly easier... patch attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libvirt-0.4.0-masq_exclude_local_traffic.patch
Type: text/x-diff
Size: 1014 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20080327/823fe4d3/attachment-0001.bin>

More information about the libvir-list mailing list