On 11/04/2012 12:18 PM, Gene Czarcinski wrote:
On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
Currently, when an interface (virtual network) is started, if no ip address is defined, then no rule is added to bemit "internal" network traffic. However, virtual guests can use such a network to communicate if a rule is added to the iptables/ip6tables rule set. This will work even if no ip address is defined on an interface (which is valid).
I propose that rules of the following forms be added when an interface is started and removed when it is destroyed:
iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
If a user wants a "very private network", the user has to run the above commands. The proposal simply does this automatically. It appears that this patch is not necessary since I can do this now using nwfilters.
Question: I see little discussed or anything about nwfilters. Is nwfilters an active concept or is it still included because of legacy? Will this still work with firewalld? Well, it was a nice idea anyway. It seems to not work for ipv6.
1. I defined a network with no IPv4 or IPv6 addresses specified. 2. Took one of my guests and put attached that new network. 3. Edited the domain for the guest and added a <filterref name='allow-ipv4'/> 4. Started things up and got what I wanted in iptables. [that is when I wrote the previous message] 5. Using allow-ipv4 as my guide, created a new filter allow-ipv6. 6. Edited the domain again to use allow-ipv6. 7. Started things again ... ip6tables shows nothing! I seem to have stumbled across another bug. More later. Gene