[libvirt] [PATCH 1/3] network: new network forward mode 'open'

Daniel P. Berrange berrange at redhat.com
Fri Aug 12 15:28:29 UTC 2016


On Fri, Aug 12, 2016 at 11:19:00AM -0400, Laine Stump wrote:
> On 08/12/2016 03:52 AM, Daniel P. Berrange wrote:
> > On Thu, Aug 11, 2016 at 10:41:45PM -0400, Laine Stump wrote:
> > > The new forward mode 'open' is just like mode='route', except that no
> > > firewall rules are added to assure that any traffic does or doesn't
> > > pass. It is assumed that either they aren't necessary, or they will be
> > > setup outside the scope of libvirt.
> > > 
> > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=846810
> > > ---
> > >   docs/formatnetwork.html.in                         | 22 ++++++++++++
> > >   docs/schemas/network.rng                           |  1 +
> > >   src/conf/network_conf.c                            | 25 +++++++++++--
> > >   src/conf/network_conf.h                            |  1 +
> > >   src/network/bridge_driver.c                        | 41 +++++++++++++++-------
> > >   tests/networkxml2confdata/open-network.conf        | 11 ++++++
> > >   tests/networkxml2confdata/open-network.xml         |  9 +++++
> > >   tests/networkxml2conftest.c                        |  1 +
> > >   .../open-network-with-forward-dev.xml              |  9 +++++
> > >   tests/networkxml2xmlin/open-network.xml            |  9 +++++
> > >   tests/networkxml2xmlout/open-network.xml           |  9 +++++
> > >   tests/networkxml2xmltest.c                         |  2 ++
> > >   12 files changed, 125 insertions(+), 15 deletions(-)
> > >   create mode 100644 tests/networkxml2confdata/open-network.conf
> > >   create mode 100644 tests/networkxml2confdata/open-network.xml
> > >   create mode 100644 tests/networkxml2xmlin/open-network-with-forward-dev.xml
> > >   create mode 100644 tests/networkxml2xmlin/open-network.xml
> > >   create mode 100644 tests/networkxml2xmlout/open-network.xml
> > > 
> > > diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
> > > index a9226e5..12d1bed 100644
> > > --- a/docs/formatnetwork.html.in
> > > +++ b/docs/formatnetwork.html.in
> > > @@ -260,6 +260,28 @@
> > >               <span class="since">Since 0.4.2</span>
> > >             </dd>
> > > +          <dt><code>open</code></dt>
> > > +          <dd>
> > > +            As with mode='route', guest network traffic will be
> > > +            forwarded to the physical network via the host's IP
> > > +            routing stack, but there will be no firewall rules added
> > > +            to either enable or prevent any of this traffic. When
> > > +            forward='open' is set, the <code>dev</code> attribute
> > > +            cannot be set (because the forward dev is enforced with
> > > +            firewall rules, and the purpose of forward='open' is to
> > > +            have a forwarding mode where libvirt doesn't add any
> > > +            firewall rules).  This mode presumes that the local LAN
> > > +            router has suitable routing table entries to return
> > > +            traffic to this host, and that some other management
> > > +            system has been used to put in place any necessary
> > > +            firewall rules. Although no firewall rules will be added
> > > +            for the network, it is of course still possible to add
> > > +            restrictions for specific guests using
> > > +            <a href="formatnwfilter.html">nwfilter rules</a> on the
> > > +            guests' interfaces.)
> > > +            <span class="since">Since 2.2.0</span>
> > > +          </dd>
> > > +
> > Isn't this basically the same as forward mode="bridge", except that
> > we still create the bridge ourselves, instead of requiring it to be
> > pre-created ?
> 
> Sigh. If only that was the case :-/

[snip]

> > If so, I wonder if its better add a attribute 'create=yes|no' to
> > the <bridge> element instead ?

ok, ignore my suggestion. There's nothing wrong with what you've
proposed.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list