[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] Proposed: always allow packets internal to an interface



Currently, when an interface (virtual network) is started, if no ip address is defined, then no rule is added to bemit "internal" network traffic. However, virtual guests can use such a network to communicate if a rule is added to the iptables/ip6tables rule set. This will work even if no ip address is defined on an interface (which is valid).

I propose that rules of the following forms be added when an interface is started and removed when it is destroyed:

iptables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT

ip6tables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT

If a user wants a "very private network", the user has to run the above commands. The proposal simply does this automatically.

Gene


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]