On 03/28/2013 03:22 PM, Laine Stump wrote:
On 03/27/2013 04:00 PM, Gene Czarcinski wrote:
If an IPv4 address is *not* specified, then the IPv4 network is isolated and, by default, internal (internal to the specific interface) IPv4 routing is enabled.. Define "enable IPv4 routing"
ipv4 forwarding is not explicitly enabled in this case, but guests connected to the bridge can talk to each other.
If an IPv6 address is *not* specified, then the IPv6 network is isolated and, by default, internal IPv6 routing is disabled but can be enabled if ipv6='yes' is specified on <network>. Correct (but you knew this better than me :-)
If an IPv6 address is specified, then it is routed. Define "routed". If there is no <forward> element, then rules are added to reject any traffic that tries to be forwarded beyond the bridge, or forwarded into the bridge from outside. However, IPv6 traffic between interfaces directly connected to the bridge (i.e. the guests) and the bridge itself is allowed.
If an IPv4 address is specified, then it can be Network-Address-Translated or routed. Not having a <forward> explicitly specified does not mean that a route is not established. Do you mean the direct route for the bridge's own subnet? If there is no <forward>, then the rules added by networkAddGeneralIptablesRules will be in effect - aside from allowing receive of dhcp, dns, and possibly tftp to the host from guests (and ignoring inter-guest traffic), these rules will reject attempts to forward into or out of the bridge.
Do I understand thing correctly?
Not sure. Did what I said match up with what you understand? :-)
OK, I was working on the virtual network support in virt-manager when I realized that I was not sure I understood what the forwarding/routing rules were. I needed this so I could accurately display just what IPv4 and IPv6 routing was enabled on a network (interface). Based on more thinking and what you said above, let me try again. Isolated-1: *no* address specified IPv4 - internal routing between guests is enabled. IPv6 - internal routing between guests is enabled only if ipv6='yes' is specified Isolated-2: address specified but no <forward> IPv4 - internal routing between guests and between guests and virtualization host IPv6 - internal routing between guests and between guests and virtualization host Also - dnsmasq used for DNS service for each address specified Opt - dhcp for either or both addresses Routed-1 - address specified, <forward> with NAT IPv4 - forwarded with Network Address Translation IPv6 - forward-routed with no restrictions Also - dnsmasq used for DNS service for each address specified Opt - dhcp for either or both addresses Routed-2 - address specified, <forward> with route specified IPv4 - forward-routed with no restrictions IPv6 - forward-routed with no restrictions Also - dnsmasq used for DNS service for each address specified Opt - dhcp for either or both addresses So, if IPv6 is to be forwarded then there must be a <forward> in the definition. It also appears that there is no way to specify forwarding for only IPv4 or IPv6 is each has an address specified. Gene