Re: [libvirt] [PATCH] network: allow DHCP/DNS/TFTP explicitly in OUTPUT rules

From: Malina Salina <malina.salina(a)protonmail.com&gt; While the default iptables setup used by Fedora/RHEL distros only restricts traffic on the INPUT and/or FORWARD rules, some users might have custom firewalls that restrict the OUTPUT rules too. These can prevent DHCP/DNS/TFTP responses from dnsmasq from reaching the guest VMs. We should thus whitelist these protocols in the OUTPUT chain, as well as the INPUT chain. Signed-off-by: Malina Salina <malina.salina(a)protonmail.com&gt; Initial patch then modified to add unit tests and IPv6 support Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- src/libvirt_private.syms | 2 + src/network/bridge_driver_linux.c | 29 ++++++++++--- src/util/viriptables.c | 36 ++++++++++++++++ src/util/viriptables.h | 8 ++++ .../nat-default-linux.args | 21 ++++++++++ .../nat-ipv6-linux.args | 42 +++++++++++++++++++ .../nat-many-ips-linux.args | 21 ++++++++++ .../nat-no-dhcp-linux.args | 42 +++++++++++++++++++ .../nat-tftp-linux.args | 28 +++++++++++++ .../route-default-linux.args | 21 ++++++++++ 10 files changed, 244 insertions(+), 6 deletions(-)