[libvirt-users] Modify Iptables Rules (virbr0 & virbr1)
Jorge Fábregas
jorge.fabregas at gmail.com
Tue Aug 6 22:38:19 UTC 2013
On 07/31/2013 11:01 AM, Jorge Fábregas wrote:
> That is, the first network can reach all other networks (just because it
> happens to be the first one defined). Is this the intention (only
> default can talk to the others but not the other way around)?
*Bump*
I found this excellent post by Daniel Berrange:
http://www.redhat.com/archives/libvir-list/2010-June/msg00762.html
...which explains all the firewall rules that libvirt creates based on
the type of network you choose. Reading this I get the idea that, the
intention for NAT virtual-networks, is to allow them to communicate with
ANY other virtual-network on your system (since there's an allow rule
for traffic coming out of it).
In a nutshell, the problem is that there's a lack of consistency on how
NAT virtual-networks communicate between each other. I think the traffic
between these subnets should be either allowed or denied. Right now we
have a mixed scenario where the decision to allow or deny the traffic is
merely based on what position, of the firewall rules, your
virtual-network happens to be.
Here's what I mean:
http://fpaste.org/30485/
Network 0 can reach any network due to line #3
Network 1 can only reach the networks defined below it (due to line #10)
Network 1 can't reach Network 0 due to line #5
Network 2 can't reach any of the above networks due to #line 5 & 12
(reach = "initiate new connections")
Summary: (Based on the order of firewall rules): virtual-networks can
successfully initiate new connections to the networks defined below it
but can't with networks defined above it.
Comments are welcome.
Thanks!
Jorge
More information about the libvirt-users
mailing list