[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[Libvir] [PATCH] Re: iptables masquerade rule overexpansive
- From: Charles Duffy <cduffy messageone com>
- To: libvir-list redhat com
- Subject: [Libvir] [PATCH] Re: iptables masquerade rule overexpansive
- Date: Thu, 27 Mar 2008 15:35:54 -0500
Daniel P. Berrange wrote:
Instead of having the separate ACCEPT rule I think it would be sufficient
to replace the 0.0.0.0/0 target with ! 192.168.65.0/24, eg
iptables -t nat -A POSTROUTING
--source 192.168.65.0/24
--destination ! 192.168.65.0/24
-j MASQUERADE
so it will masquerade traffic which is leaving the ip range of the virtual
network only, and leave ip traffic between the VMs & VM<->host alone.
I considered that -- but while it will work as long as the default
forward rule is ACCEPT, it could result in hosts being unable to
communicate with each other if the default rule for the table is otherwise.
That said, it's certainly easier... patch attached.
diff -ru libvirt-0.4.0.orig/src/iptables.c libvirt-0.4.0/src/iptables.c
--- libvirt-0.4.0.orig/src/iptables.c 2007-12-12 07:30:49.000000000 -0600
+++ libvirt-0.4.0/src/iptables.c 2008-03-27 15:31:29.000000000 -0500
@@ -1047,6 +1047,7 @@
return iptablesAddRemoveRule(ctx->nat_postrouting,
action,
"--source", network,
+ "--destination", "!", network,
"--out-interface", physdev,
"--jump", "MASQUERADE",
NULL);
@@ -1054,6 +1055,7 @@
return iptablesAddRemoveRule(ctx->nat_postrouting,
action,
"--source", network,
+ "--destination", "!", network,
"--jump", "MASQUERADE",
NULL);
}
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]