[libvirt-users] Inconsistent iptables forwarding rules for virtual networks?
Alex Jia
ajia at redhat.com
Thu Sep 27 07:24:17 UTC 2012
Hi Marwan,
I remember libvirt has a similar bug, but I forgot bug number, Laine can help
confirm this, could you provide your libvirt version? thanks.
--
Regards,
Alex
----- Original Message -----
From: "Marwan Tanager" <marwan.tngr at gmail.com>
To: libvirt-users at redhat.com
Sent: Wednesday, September 26, 2012 11:18:35 AM
Subject: [libvirt-users] Inconsistent iptables forwarding rules for virtual networks?
Hi everyone.
Those are the iptables forwarding rules associated with the two virtual networks
on my machine:
-----------------------------------------------------------------------------------------
-A FORWARD -d 192.168.100.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.100.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-----------------------------------------------------------------------------------------
Using this setup I can ping from a guest on 192.168.100.0/24 to a guest on
192.168.122.0/24, however the reverse is not possible (I get 'port unreachable'
icmp messages). This is caused by the fourth rule, which rejects packets
forwarded to virbr1.
Moving the fourth rule to the end, obviously eliminates this problem.
So, is this default setup intentional for some reason, or should the rules just
be rearranged by libvirt, so that any rule on the FORWARD chain which has a
REJECT target (which reject forwarding "to" some virtual interface) would go to
the end of the chain, and thus, allowing the virtual networks to reach each
other by default?
Thanks.
Marwan
_______________________________________________
libvirt-users mailing list
libvirt-users at redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
More information about the libvirt-users
mailing list