[libvirt] Proposed: always allow packets internal to an interface
Gene Czarcinski
gene at czarc.net
Fri Nov 2 11:46:28 UTC 2012
Currently, when an interface (virtual network) is started, if no ip
address is defined, then no rule is added to bemit "internal" network
traffic. However, virtual guests can use such a network to communicate
if a rule is added to the iptables/ip6tables rule set. This will work
even if no ip address is defined on an interface (which is valid).
I propose that rules of the following forms be added when an interface
is started and removed when it is destroyed:
iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
If a user wants a "very private network", the user has to run the above
commands. The proposal simply does this automatically.
Gene
More information about the libvir-list
mailing list