[libvirt] Proposed: always allow packets internal to an interface
Gene Czarcinski
gene at czarc.net
Sun Nov 4 17:18:24 UTC 2012
On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
> Currently, when an interface (virtual network) is started, if no ip
> address is defined, then no rule is added to bemit "internal" network
> traffic. However, virtual guests can use such a network to
> communicate if a rule is added to the iptables/ip6tables rule set.
> This will work even if no ip address is defined on an interface (which
> is valid).
>
> I propose that rules of the following forms be added when an interface
> is started and removed when it is destroyed:
>
> iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>
> ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>
> If a user wants a "very private network", the user has to run the
> above commands. The proposal simply does this automatically.
It appears that this patch is not necessary since I can do this now
using nwfilters.
Question: I see little discussed or anything about nwfilters. Is
nwfilters an active concept or is it still included because of legacy?
Will this still work with firewalld?
Gene
More information about the libvir-list
mailing list