[libvirt] Proposed: always allow packets internal to an interface
Gene Czarcinski
gene at czarc.net
Wed Nov 7 21:25:52 UTC 2012
On 11/06/2012 11:23 AM, Gene Czarcinski wrote:
>>> ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>> This one currently isn't getting added, because
>> networkAddGeneralIp6tablesRules() returns immediately if there are no
>> ipv6 addresses defined for the network.
>>
>> Note that up until now, unless someone had an ipv6 address defined for a
>> network, ip6tables was never called, so theoretically you could run
>> libvirtd without having ip6tables installed on your machine, but with
>> this change *all* networks would fail to start if the ip6tables binary
>> was missing. That *shouldn't* be a problem because (at least on
>> Fedora/RHEL/CentOS) it is a part of the same package as iptables, but
>> I've seen strange setups in the last few years - in particular I recall
>> one Gentoo user whose networks were mysteriously failing, and it was
>> because he had built the iproute package with some sort of "minimal"
>> configuration that's available on Gentoo, causing something or other to
>> fail in a mysterious way (compounded in troubleshooting by the fact that
>> none of us would ever have expected such a thing).
> How about a configure/compile time option for those systems which may
> not have ip6tables ... the default being that ip6tables is assumed.
"ping"
OK, I have not heard a plain yes or no on this.
IPv4 and IPv6 networks are suppose to have the same (more or less)
functionality so why isn't this OK.
If you do want to give someone the option of running without ip6tables,
fine make it a compile-time option.
Gene
More information about the libvir-list
mailing list