Re: [libvirt] Proposed: always allow packets internal to an interface
On 11/04/2012 12:18 PM, Gene Czarcinski wrote:
On 11/02/2012 07:46 AM, Gene Czarcinski wrote:
> Currently, when an interface (virtual network) is started, if no ip
> address is defined, then no rule is added to bemit "internal" network
> traffic. However, virtual guests can use such a network to
> communicate if a rule is added to the iptables/ip6tables rule set.
> This will work even if no ip address is defined on an interface
> (which is valid).
>
> I propose that rules of the following forms be added when an
> interface is started and removed when it is destroyed:
>
> iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>
> ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
>
> If a user wants a "very private network", the user has to run the
> above commands. The proposal simply does this automatically.
It appears that this patch is not necessary since I can do this now
using nwfilters.
Question: I see little discussed or anything about nwfilters. Is
nwfilters an active concept or is it still included because of
legacy? Will this still work with firewalld?
Well, it was a nice idea anyway. It
seems to not work for ipv6.
1. I defined a network with no IPv4 or IPv6 addresses specified.
2. Took one of my guests and put attached that new network.
3. Edited the domain for the guest and added a <filterref
name='allow-ipv4'/>
4. Started things up and got what I wanted in iptables.
[that is when I wrote the previous message]
5. Using allow-ipv4 as my guide, created a new filter allow-ipv6.
6. Edited the domain again to use allow-ipv6.
7. Started things again ... ip6tables shows nothing!
I seem to have stumbled across another bug. More later.
Gene