[Libvir] Virtual networking (not the rathole thread :-)

Mark McLoughlin markmc at redhat.com
Thu Jan 25 16:00:25 UTC 2007


Hey,
	So, the latest patches are at:

  http://www.gnome.org/~markmc/code/libvirt-networking/

	I'm pretty happy with how things are at the moment. I've more or less
cleared out my todo list on this[1], but I'm left with a big fat
elephant sitting in the corner looking quite guilty ... iptables :-)

	Basically, once you create a virtual network, you need the following
iptables rules:

  - Allow bridging across the vnet's bridge - e.g. just allow all
    bridging:

      $> iptables -D FORWARD 1
      $> iptables -A FORWARD -m physdev ! --physdev-is-bridged
                  -j REJECT --reject-with icmp-host-prohibited

  - Allow DHCP and DNS requests from guests:

      $> iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT
      $> iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT
      $> iptables -I INPUT -p udp -m udp --dport 67 -j ACCEPT

  - Enable forwarding and SNAT:

      $> echo 1 > /proc/sys/net/ipv4/ip_forward
      $> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  - And any DNAT rules to e.g. re-direct port 8080 on the host to port 
    80 on a specific guest.

	Figuring out what the rules should be and adding them isn't a
problem ... the problem is how to interact with the underlying
distributions iptables infrastructure.

	e.g. in Fedora, if you just go ahead and add these rules, they'd be
wiped out by "service iptables restart", or overwritten by the firewall
config tool or saved and applied at boot if you used "service iptables
save". Bit of a mess :/

Cheers,
Mark.

[1] - Well, networks for unprivileged users is another big todo item




More information about the libvir-list mailing list