[libvirt-users] Modify Iptables Rules (virbr0 & virbr1)
Jorge Fábregas
jorge.fabregas at gmail.com
Tue Aug 13 11:07:23 UTC 2013
On 08/13/2013 06:31 AM, Laine Stump wrote:
> Correct. That is a known problem since 2008:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=453580
Thanks Laine for confirming it is a known issue. I googled it a lot but
couldn't find that bugzilla entry.
Do you know if this is still the case with the upcoming Fedora 20 &
firewalld? (these rules are still being created)?
> Due to the large amount of work required to fix it relative to the
> apparent demand for a fix, it has remained unchanged.
I'm wondering if it really takes a lot of work. I think that by just
changing the order of the rules everything gets fixed. If we group the
rules *by functionality* instead of *by virtual-network* we can
accomplish a particular goal (drop communication between
virtual-networks or allow them):
(Notice that I did not insert or delete any rule; just changed the order):
- Allow communication between virtual-networks (regardless of direction):
http://fpaste.org/31729/
- Block communication between virtual-networks (except for the LAN):
http://fpaste.org/31731/
> Note that if you want to have multiple virtual networks that can
> communicate with each other, you can define all the networks as <forward
> mode='route'/> (which gives them iptables rulesets that allow all access
> in both directions), then add in appropriate "blanket" NAT rules
> yourself in the host's iptables config.
Right, that's what I'm using now: just had to add a static route to my
home router in order for them to be able to use the net.
Again, thanks Laine for the feedback!
--
Jorge
More information about the libvirt-users
mailing list