Re: [libvirt] Proposed: always allow packets internal to an interface
On 11/04/2012 10:18 AM, Gene Czarcinski wrote:
On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
> Currently, when an interface (virtual network) is started, if no ip
> address is defined, then no rule is added to bemit "internal" network
> traffic. However, virtual guests can use such a network to
> communicate if a rule is added to the iptables/ip6tables rule set.
> This will work even if no ip address is defined on an interface (which
> is valid).
>
> I propose that rules of the following forms be added when an interface
> is started and removed when it is destroyed:
>
> iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>
> ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
I'm not as familiar with this as others, so I'll defer on whether this
makes sense.
>
> If a user wants a "very private network", the user has to run the
> above commands. The proposal simply does this automatically.
It appears that this patch is not necessary since I can do this now
using nwfilters.
Question: I see little discussed or anything about nwfilters. Is
nwfilters an active concept or is it still included because of legacy?
Will this still work with firewalld?
But this I can answer. Yes, nwfilters is still an actively maintained
concept, and yes, it is supposed to work with firewalld.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 617 bytes)