Re: [libvirt] [PATCH 1/3] network: new network forward mode 'open'
On Thu, Aug 11, 2016 at 10:41:45PM -0400, Laine Stump wrote:
The new forward mode 'open' is just like
mode='route', except that no
firewall rules are added to assure that any traffic does or doesn't
pass. It is assumed that either they aren't necessary, or they will be
setup outside the scope of libvirt.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=846810
---
docs/formatnetwork.html.in | 22 ++++++++++++
docs/schemas/network.rng | 1 +
src/conf/network_conf.c | 25 +++++++++++--
src/conf/network_conf.h | 1 +
src/network/bridge_driver.c | 41 +++++++++++++++-------
tests/networkxml2confdata/open-network.conf | 11 ++++++
tests/networkxml2confdata/open-network.xml | 9 +++++
tests/networkxml2conftest.c | 1 +
.../open-network-with-forward-dev.xml | 9 +++++
tests/networkxml2xmlin/open-network.xml | 9 +++++
tests/networkxml2xmlout/open-network.xml | 9 +++++
tests/networkxml2xmltest.c | 2 ++
12 files changed, 125 insertions(+), 15 deletions(-)
create mode 100644 tests/networkxml2confdata/open-network.conf
create mode 100644 tests/networkxml2confdata/open-network.xml
create mode 100644 tests/networkxml2xmlin/open-network-with-forward-dev.xml
create mode 100644 tests/networkxml2xmlin/open-network.xml
create mode 100644 tests/networkxml2xmlout/open-network.xml
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index a9226e5..12d1bed 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -260,6 +260,28 @@
<span class="since">Since 0.4.2</span>
</dd>
+ <dt><code>open</code></dt>
+ <dd>
+ As with mode='route', guest network traffic will be
+ forwarded to the physical network via the host's IP
+ routing stack, but there will be no firewall rules added
+ to either enable or prevent any of this traffic. When
+ forward='open' is set, the <code>dev</code> attribute
+ cannot be set (because the forward dev is enforced with
+ firewall rules, and the purpose of forward='open' is to
+ have a forwarding mode where libvirt doesn't add any
+ firewall rules). This mode presumes that the local LAN
+ router has suitable routing table entries to return
+ traffic to this host, and that some other management
+ system has been used to put in place any necessary
+ firewall rules. Although no firewall rules will be added
+ for the network, it is of course still possible to add
+ restrictions for specific guests using
+ <a href="formatnwfilter.html">nwfilter rules</a> on
the
+ guests' interfaces.)
+ <span class="since">Since 2.2.0</span>
+ </dd>
+
Isn't this basically the same as forward mode="bridge", except that
we still create the bridge ourselves, instead of requiring it to be
pre-created ?
If so, I wonder if its better add a attribute 'create=yes|no' to
the <bridge> element instead ?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|