[libvirt] Proposed: always allow packets internal to an interface
gene at czarc.net
Sun Nov 4 18:25:00 UTC 2012
On 11/04/2012 12:18 PM, Gene Czarcinski wrote:
> On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
>> Currently, when an interface (virtual network) is started, if no ip
>> address is defined, then no rule is added to bemit "internal" network
>> traffic. However, virtual guests can use such a network to
>> communicate if a rule is added to the iptables/ip6tables rule set.
>> This will work even if no ip address is defined on an interface
>> (which is valid).
>> I propose that rules of the following forms be added when an
>> interface is started and removed when it is destroyed:
>> iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>> ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>> If a user wants a "very private network", the user has to run the
>> above commands. The proposal simply does this automatically.
> It appears that this patch is not necessary since I can do this now
> using nwfilters.
> Question: I see little discussed or anything about nwfilters. Is
> nwfilters an active concept or is it still included because of
> legacy? Will this still work with firewalld?
Well, it was a nice idea anyway. It seems to not work for ipv6.
1. I defined a network with no IPv4 or IPv6 addresses specified.
2. Took one of my guests and put attached that new network.
3. Edited the domain for the guest and added a <filterref
4. Started things up and got what I wanted in iptables.
[that is when I wrote the previous message]
5. Using allow-ipv4 as my guide, created a new filter allow-ipv6.
6. Edited the domain again to use allow-ipv6.
7. Started things again ... ip6tables shows nothing!
I seem to have stumbled across another bug. More later.
More information about the libvir-list