[libvirt] Proposed: always allow packets internal to an interface

Mon Nov 5 17:35:42 UTC 2012

On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
> Currently, when an interface (virtual network) is started, if no ip
> address is defined, then no rule is added to bemit "internal" network
> traffic.  However, virtual guests can use such a network to
> communicate if a rule is added to the iptables/ip6tables rule set.
> This will work even if no ip address is defined on an interface (which
> is valid).
>
> I propose that rules of the following forms be added when an interface
> is started and removed when it is destroyed:
>
> iptables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT

This rule is already added - see the call to
iptablesAddForwardAllowCross towards the end of
networkAddGeneralIptablesRules. An isolated network with no <ip>
elements should work with no problems for IPv4 traffic between the guests.

>
> ip6tables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT

This one currently isn't getting added, because
networkAddGeneralIp6tablesRules() returns immediately if there are no
ipv6 addresses defined for the network.

Note that up until now, unless someone had an ipv6 address defined for a
network, ip6tables was never called, so theoretically you could run
libvirtd without having ip6tables installed on your machine, but with
this change *all* networks would fail to start if the ip6tables binary
was missing. That *shouldn't* be a problem because (at least on
Fedora/RHEL/CentOS) it is a part of the same package as iptables, but
I've seen strange setups in the last few years - in particular I recall
one Gentoo user whose networks were mysteriously failing, and it was
because he had built the iproute package with some sort of "minimal"
configuration that's available on Gentoo, causing something or other to
fail in a mysterious way (compounded in troubleshooting by the fact that
none of us would ever have expected such a thing).

Beyond that, the sysctl setting net.ipv6.conf.virbrX.disable_ipv6 is
always set to 1 UNLESS there is at least one ipv6 address on the
network. This was in the code for quite awhile before IPv6 support was
added. I wasn't around when that was put in, but it was consciously put
in by "somebody" who didn't want that allowed on an IPv4-only network.
danpb may be able to offer more insight on what prompted it, since he's
been involved from the beginning.

> If a user wants a "very private network", the user has to run the
> above commands.  The proposal simply does this automatically.

When IPv6 support was added, one of the goals was that operation of the
networks would be 100% identical for existing configurations. So if we
want anything to change, either we need to discuss if it's okay to
change the default behavior, or we need to add an attribute somewhere
that indicates "allow IPv6 traffic even if I don't have any IPv6 addresses".