[libvirt] Network definition questions
Gene Czarcinski
gene at czarc.net
Thu Mar 28 23:09:04 UTC 2013
On 03/28/2013 03:22 PM, Laine Stump wrote:
> On 03/27/2013 04:00 PM, Gene Czarcinski wrote:
>> If an IPv4 address is *not* specified, then the IPv4 network is
>> isolated and, by default, internal (internal to the specific
>> interface) IPv4 routing is enabled..
> Define "enable IPv4 routing"
>
> ipv4 forwarding is not explicitly enabled in this case, but guests
> connected to the bridge can talk to each other.
>
>> If an IPv6 address is *not* specified, then the IPv6 network is
>> isolated and, by default, internal IPv6 routing is disabled but can be
>> enabled if ipv6='yes' is specified on <network>.
> Correct (but you knew this better than me :-)
>
>> If an IPv6 address is specified, then it is routed.
> Define "routed". If there is no <forward> element, then rules are added
> to reject any traffic that tries to be forwarded beyond the bridge, or
> forwarded into the bridge from outside. However, IPv6 traffic between
> interfaces directly connected to the bridge (i.e. the guests) and the
> bridge itself is allowed.
>
>> If an IPv4 address is specified, then it can be
>> Network-Address-Translated or routed. Not having a <forward>
>> explicitly specified does not mean that a route is not established.
> Do you mean the direct route for the bridge's own subnet? If there is no
> <forward>, then the rules added by networkAddGeneralIptablesRules will
> be in effect - aside from allowing receive of dhcp, dns, and possibly
> tftp to the host from guests (and ignoring inter-guest traffic), these
> rules will reject attempts to forward into or out of the bridge.
>
>>
>> Do I understand thing correctly?
>>
> Not sure. Did what I said match up with what you understand? :-)
>
OK, I was working on the virtual network support in virt-manager when I
realized that I was not sure I understood what the forwarding/routing
rules were. I needed this so I could accurately display just what IPv4
and IPv6 routing was enabled on a network (interface). Based on more
thinking and what you said above, let me try again.
Isolated-1: *no* address specified
IPv4 - internal routing between guests is enabled.
IPv6 - internal routing between guests is enabled only if
ipv6='yes' is specified
Isolated-2: address specified but no <forward>
IPv4 - internal routing between guests and between guests and
virtualization host
IPv6 - internal routing between guests and between guests and
virtualization host
Also - dnsmasq used for DNS service for each address specified
Opt - dhcp for either or both addresses
Routed-1 - address specified, <forward> with NAT
IPv4 - forwarded with Network Address Translation
IPv6 - forward-routed with no restrictions
Also - dnsmasq used for DNS service for each address specified
Opt - dhcp for either or both addresses
Routed-2 - address specified, <forward> with route specified
IPv4 - forward-routed with no restrictions
IPv6 - forward-routed with no restrictions
Also - dnsmasq used for DNS service for each address specified
Opt - dhcp for either or both addresses
So, if IPv6 is to be forwarded then there must be a <forward> in the
definition.
It also appears that there is no way to specify forwarding for only IPv4
or IPv6 is each has an address specified.
Gene
More information about the libvir-list
mailing list