[libvirt] Proposed: always allow packets internal to an interface
Gene Czarcinski
gene at czarc.net
Fri Nov 9 02:19:37 UTC 2012
On 11/08/2012 09:01 PM, Laine Stump wrote:
> Hmm - would it maybe be okay to always add the ip6tables rule to allow
> ipv6 traffic between interfaces on the bridge, while still setting
> disable_ipv6=1 (unless there is an <ip> with an ipv6 address)? The
> guests could then do IPv6 among themselves if they wanted, but there
> would be no way to get to the host via IPv6.
All I can say is that it seems to work ... at least my definition of work.
Obviously (I hope) the virtualization host sees nothing of the
communications between the virtual systems on the "very private" virtual
network.
Take a look at my message which describes what I did. Give it a try for
your self and tell us what you see.
I do not know how things are suppose to work, I can only report on how
they do work.
Now, that is not to say that if you call some function to do something,
that, in addition to performing what you want, it also does some other
"stuff." That is, if I have ip6tables do something, is it also doing
something else?
Gene
More information about the libvir-list
mailing list