[libvirt] Proposed: always allow packets internal to an interface

Gene Czarcinski gene at czarc.net
Sun Nov 4 18:25:00 UTC 2012

On 11/04/2012 12:18 PM, Gene Czarcinski wrote:
> On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
>> Currently, when an interface (virtual network) is started, if no ip 
>> address is defined, then no rule is added to bemit "internal" network 
>> traffic.  However, virtual guests can use such a network to 
>> communicate if a rule is added to the iptables/ip6tables rule set. 
>> This will work even if no ip address is defined on an interface 
>> (which is valid).
>> I propose that rules of the following forms be added when an 
>> interface is started and removed when it is destroyed:
>> iptables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT
>> ip6tables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT
>> If a user wants a "very private network", the user has to run the 
>> above commands.  The proposal simply does this automatically.
> It appears that this patch is not necessary since I can do this now 
> using nwfilters.
> Question:  I see little discussed or anything about nwfilters.  Is 
> nwfilters an active concept or is it still included because of 
> legacy?  Will this still work with firewalld?
Well, it was a nice idea anyway.  It seems to not work for ipv6.

1. I defined a network with no IPv4 or IPv6 addresses specified.
2. Took one of my guests and put attached that new network.
3. Edited the domain for the guest and added a <filterref 
4. Started things up and got what I wanted in iptables.
[that is when I wrote the previous message]
5. Using allow-ipv4 as my guide, created a new filter allow-ipv6.
6. Edited the domain again to use allow-ipv6.
7. Started things again ... ip6tables shows nothing!

I seem to have stumbled across another bug.  More later.


More information about the libvir-list mailing list