[libvirt] Network definition questions

Gene Czarcinski gene at czarc.net
Thu Mar 28 23:09:04 UTC 2013


On 03/28/2013 03:22 PM, Laine Stump wrote:
> On 03/27/2013 04:00 PM, Gene Czarcinski wrote:
>> If an IPv4 address is *not* specified, then the IPv4 network is
>> isolated and, by default, internal (internal to the specific
>> interface) IPv4 routing is enabled..
> Define "enable IPv4 routing"
>
> ipv4 forwarding is not explicitly enabled in this case, but guests
> connected to the bridge can talk to each other.
>
>> If an IPv6 address is *not* specified, then the IPv6 network is
>> isolated and, by default, internal IPv6 routing is disabled but can be
>> enabled if ipv6='yes' is specified on <network>.
> Correct (but you knew this better than me :-)
>
>> If an IPv6 address is specified, then it is routed.
> Define "routed". If there is no <forward> element, then rules are added
> to reject any traffic that tries to be forwarded beyond the bridge, or
> forwarded into the bridge from outside. However, IPv6 traffic between
> interfaces directly connected to the bridge (i.e. the guests) and the
> bridge itself is allowed.
>
>> If an IPv4 address is specified, then it can be
>> Network-Address-Translated or routed.  Not having a <forward>
>> explicitly specified does not mean that a route is not established.
> Do you mean the direct route for the bridge's own subnet? If there is no
> <forward>, then the rules added by networkAddGeneralIptablesRules will
> be in effect - aside from allowing receive of dhcp, dns, and possibly
> tftp to the host from guests (and ignoring inter-guest traffic), these
> rules will reject attempts to forward into or out of the bridge.
>
>>
>> Do I understand thing correctly?
>>
> Not sure. Did what I said match up with what you understand? :-)
>
OK, I was working on the virtual network support in virt-manager when I 
realized that I was not sure I understood what the forwarding/routing 
rules were.  I needed this so I could accurately display just what IPv4 
and IPv6 routing was enabled on a network (interface).  Based on more 
thinking and what you said above, let me try again.

Isolated-1: *no* address specified
         IPv4 - internal routing between guests is enabled.
         IPv6 - internal routing between guests is enabled only if 
ipv6='yes' is specified

Isolated-2: address specified but no <forward>
         IPv4 - internal routing between guests and between guests and 
virtualization host
         IPv6 - internal routing between guests and between guests and 
virtualization host
         Also - dnsmasq used for DNS service for each address specified
         Opt - dhcp for either or both addresses

Routed-1 - address specified, <forward> with NAT
         IPv4 - forwarded with Network Address Translation
         IPv6 - forward-routed with no restrictions
         Also - dnsmasq used for DNS service for each address specified
         Opt - dhcp for either or both addresses

Routed-2 - address specified, <forward> with route specified
         IPv4 - forward-routed with no restrictions
         IPv6 - forward-routed with no restrictions
         Also - dnsmasq used for DNS service for each address specified
         Opt - dhcp for either or both addresses

So, if IPv6 is to be forwarded then there must be a <forward> in the 
definition.

It also appears that there is no way to specify forwarding for only IPv4 
or IPv6 is each has an address specified.

Gene




More information about the libvir-list mailing list