[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Network definition questions



On 03/28/2013 03:22 PM, Laine Stump wrote:
On 03/27/2013 04:00 PM, Gene Czarcinski wrote:
If an IPv4 address is *not* specified, then the IPv4 network is
isolated and, by default, internal (internal to the specific
interface) IPv4 routing is enabled..
Define "enable IPv4 routing"

ipv4 forwarding is not explicitly enabled in this case, but guests
connected to the bridge can talk to each other.

If an IPv6 address is *not* specified, then the IPv6 network is
isolated and, by default, internal IPv6 routing is disabled but can be
enabled if ipv6='yes' is specified on <network>.
Correct (but you knew this better than me :-)

If an IPv6 address is specified, then it is routed.
Define "routed". If there is no <forward> element, then rules are added
to reject any traffic that tries to be forwarded beyond the bridge, or
forwarded into the bridge from outside. However, IPv6 traffic between
interfaces directly connected to the bridge (i.e. the guests) and the
bridge itself is allowed.

If an IPv4 address is specified, then it can be
Network-Address-Translated or routed.  Not having a <forward>
explicitly specified does not mean that a route is not established.
Do you mean the direct route for the bridge's own subnet? If there is no
<forward>, then the rules added by networkAddGeneralIptablesRules will
be in effect - aside from allowing receive of dhcp, dns, and possibly
tftp to the host from guests (and ignoring inter-guest traffic), these
rules will reject attempts to forward into or out of the bridge.


Do I understand thing correctly?

Not sure. Did what I said match up with what you understand? :-)

OK, I was working on the virtual network support in virt-manager when I realized that I was not sure I understood what the forwarding/routing rules were. I needed this so I could accurately display just what IPv4 and IPv6 routing was enabled on a network (interface). Based on more thinking and what you said above, let me try again.

Isolated-1: *no* address specified
        IPv4 - internal routing between guests is enabled.
IPv6 - internal routing between guests is enabled only if ipv6='yes' is specified

Isolated-2: address specified but no <forward>
IPv4 - internal routing between guests and between guests and virtualization host IPv6 - internal routing between guests and between guests and virtualization host
        Also - dnsmasq used for DNS service for each address specified
        Opt - dhcp for either or both addresses

Routed-1 - address specified, <forward> with NAT
        IPv4 - forwarded with Network Address Translation
        IPv6 - forward-routed with no restrictions
        Also - dnsmasq used for DNS service for each address specified
        Opt - dhcp for either or both addresses

Routed-2 - address specified, <forward> with route specified
        IPv4 - forward-routed with no restrictions
        IPv6 - forward-routed with no restrictions
        Also - dnsmasq used for DNS service for each address specified
        Opt - dhcp for either or both addresses

So, if IPv6 is to be forwarded then there must be a <forward> in the definition.

It also appears that there is no way to specify forwarding for only IPv4 or IPv6 is each has an address specified.

Gene


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]