[libvirt] Proposed: always allow packets internal to an interface

Gene Czarcinski gene at czarc.net
Fri Nov 9 02:19:37 UTC 2012


On 11/08/2012 09:01 PM, Laine Stump wrote:
> Hmm - would it maybe be okay to always add the ip6tables rule to allow
> ipv6 traffic between interfaces on the bridge, while still setting
> disable_ipv6=1 (unless there is an <ip> with an ipv6 address)? The
> guests could then do IPv6 among themselves if they wanted, but there
> would be no way to get to the host via IPv6.
All I can say is that it seems to work ... at least my definition of work.

Obviously (I hope) the virtualization host sees nothing of the 
communications between the virtual systems on the "very private" virtual 
network.

Take a look at my message which describes what I did.  Give it a try for 
your self and tell us what you see.

I do not know how things are suppose to work, I can only report on how 
they do work.

Now, that is not to say that if you call some function to do something, 
that, in addition to performing what you want, it also does some other 
"stuff."  That is, if I have ip6tables do something, is it also doing 
something else?

Gene




More information about the libvir-list mailing list