[libvirt] Proposed: always allow packets internal to an interface

Friday, 2 November 2012

Currently, when an interface (virtual network) is started, if no ip 
address is defined, then no rule is added to bemit "internal" network 
traffic.  However, virtual guests can use such a network to communicate 
if a rule is added to the iptables/ip6tables rule set. This will work 
even if no ip address is defined on an interface (which is valid).

I propose that rules of the following forms be added when an interface 
is started and removed when it is destroyed:

iptables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT

ip6tables -I FORWARD 1 -i  virbr18 -o  virbr18  -j  ACCEPT

If a user wants a "very private network", the user has to run the above 
commands.  The proposal simply does this automatically.

Gene

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] Proposed: always allow packets internal to an interface