[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Proposed: always allow packets internal to an interface



On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
Currently, when an interface (virtual network) is started, if no ip address is defined, then no rule is added to bemit "internal" network traffic. However, virtual guests can use such a network to communicate if a rule is added to the iptables/ip6tables rule set. This will work even if no ip address is defined on an interface (which is valid).

I propose that rules of the following forms be added when an interface is started and removed when it is destroyed:

iptables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT

ip6tables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT

If a user wants a "very private network", the user has to run the above commands. The proposal simply does this automatically.
It appears that this patch is not necessary since I can do this now using nwfilters.

Question: I see little discussed or anything about nwfilters. Is nwfilters an active concept or is it still included because of legacy? Will this still work with firewalld?

Gene


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]