[libvirt-users] Modify Iptables Rules (virbr0 & virbr1)

Laine Stump laine at laine.org
Tue Aug 13 11:23:59 UTC 2013


On 08/13/2013 07:07 AM, Jorge Fábregas wrote:
> On 08/13/2013 06:31 AM, Laine Stump wrote:
>> Correct. That is a known problem since 2008:
>>
>>    https://bugzilla.redhat.com/show_bug.cgi?id=453580
> Thanks Laine for confirming it is a known issue.  I googled it a lot but
> couldn't find that bugzilla entry.
>
> Do you know if this is still the case with the upcoming Fedora 20 &
> firewalld? (these rules are still being created)?

There hasn't been any substantial change in the iptables rules added by
libvirt for virtual networks in a long time; libvirt's firewalld usage
is in the form of sending firewall-cmd exactly the same rules that were
previously sent directly to iptables.

>
>> Due to the large amount of work required to fix it relative to the
>> apparent demand for a fix, it has remained unchanged.
> I'm wondering if it really takes a lot of work.  I think that by just
> changing the order of the rules everything gets fixed.  If we group the
> rules *by functionality* instead of *by virtual-network* we can
> accomplish a particular goal (drop communication between
> virtual-networks or allow them):

Sure, that's simple if you're going to start/stop all virtual networks
together as a group. It's more complicated if you want each network to
operate independently of the other (i.e. t obe able to start/stop each
network without affecting the others). Possibly the way to do that would
be to create separate chains for the allow and block. You're welcome to
write a patch for it :-)

>
> (Notice that I did not insert or delete any rule; just changed the order):
>
> - Allow communication between virtual-networks (regardless of direction):
> http://fpaste.org/31729/
>
> - Block communication between virtual-networks (except for the LAN):
> http://fpaste.org/31731/
>
>> Note that if you want to have multiple virtual networks that can
>> communicate with each other, you can define all the networks as <forward
>> mode='route'/> (which gives them iptables rulesets that allow all access
>> in both directions), then add in appropriate "blanket" NAT rules
>> yourself in the host's iptables config.
> Right, that's what I'm using now: just had to add a static route to my
> home router in order for them to be able to use the net.

Yes, that's another option, for those that have control over the routing
tables of their network.




More information about the libvirt-users mailing list