[libvirt] Proposed: always allow packets internal to an interface
Laine Stump
laine at laine.org
Mon Nov 5 17:42:09 UTC 2012
On 11/04/2012 12:18 PM, Gene Czarcinski wrote:
> On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
>> Currently, when an interface (virtual network) is started, if no ip
>> address is defined, then no rule is added to bemit "internal" network
>> traffic. However, virtual guests can use such a network to
>> communicate if a rule is added to the iptables/ip6tables rule set.
>> This will work even if no ip address is defined on an interface
>> (which is valid).
>>
>> I propose that rules of the following forms be added when an
>> interface is started and removed when it is destroyed:
>>
>> iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>>
>> ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>>
>> If a user wants a "very private network", the user has to run the
>> above commands. The proposal simply does this automatically.
> It appears that this patch is not necessary since I can do this now
> using nwfilters.
Are you sure of that? nwfilter rules are applied to the tap device that
connects the guest's interface to the bridge, while these other rules
you're talking about are on the bridge itself.
(BTW, note that all FORWARD rules that involve a bridge interface become
irrelevant if you have
net.bridge.bridge-nf-call-iptables = 0
in /etc/sysctl.conf.)
> Question: I see little discussed or anything about nwfilters. Is
> nwfilters an active concept or is it still included because of
> legacy? Will this still work with firewalld?
Still active. Works with firewalld. If you encounter a problem, you can
look for stefanb in IRC - we all hang out in #virt on irc.oftc.net. As
much as you're messing around with this code, you should be there too :-)
More information about the libvir-list
mailing list