Re: [libvirt] [PATCH 1/3] network: new network forward mode 'open'

On 08/12/2016 03:52 AM, Daniel P. Berrange wrote: > On Thu, Aug 11, 2016 at 10:41:45PM -0400, Laine Stump wrote: > > The new forward mode 'open' is just like mode='route', except that no > > firewall rules are added to assure that any traffic does or doesn't > > pass. It is assumed that either they aren't necessary, or they will be > > setup outside the scope of libvirt. > > > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=846810 > > --- > > docs/formatnetwork.html.in | 22 ++++++++++++ > > docs/schemas/network.rng | 1 + > > src/conf/network_conf.c | 25 +++++++++++-- > > src/conf/network_conf.h | 1 + > > src/network/bridge_driver.c | 41 +++++++++++++++------- > > tests/networkxml2confdata/open-network.conf | 11 ++++++ > > tests/networkxml2confdata/open-network.xml | 9 +++++ > > tests/networkxml2conftest.c | 1 + > > .../open-network-with-forward-dev.xml | 9 +++++ > > tests/networkxml2xmlin/open-network.xml | 9 +++++ > > tests/networkxml2xmlout/open-network.xml | 9 +++++ > > tests/networkxml2xmltest.c | 2 ++ > > 12 files changed, 125 insertions(+), 15 deletions(-) > > create mode 100644 tests/networkxml2confdata/open-network.conf > > create mode 100644 tests/networkxml2confdata/open-network.xml > > create mode 100644 tests/networkxml2xmlin/open-network-with-forward-dev.xml > > create mode 100644 tests/networkxml2xmlin/open-network.xml > > create mode 100644 tests/networkxml2xmlout/open-network.xml > > > > diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in > > index a9226e5..12d1bed 100644 > > --- a/docs/formatnetwork.html.in > > +++ b/docs/formatnetwork.html.in > > @@ -260,6 +260,28 @@ > > <span class="since">Since 0.4.2</span> > > </dd> > > + <dt><code>open</code></dt> > > + <dd> > > + As with mode='route', guest network traffic will be > > + forwarded to the physical network via the host's IP > > + routing stack, but there will be no firewall rules added > > + to either enable or prevent any of this traffic. When > > + forward='open' is set, the <code>dev</code> attribute > > + cannot be set (because the forward dev is enforced with > > + firewall rules, and the purpose of forward='open' is to > > + have a forwarding mode where libvirt doesn't add any > > + firewall rules). This mode presumes that the local LAN > > + router has suitable routing table entries to return > > + traffic to this host, and that some other management > > + system has been used to put in place any necessary > > + firewall rules. Although no firewall rules will be added > > + for the network, it is of course still possible to add > > + restrictions for specific guests using > > + <a href="formatnwfilter.html">nwfilter rules</a> on the > > + guests' interfaces.) > > + <span class="since">Since 2.2.0</span> > > + </dd> > > + > Isn't this basically the same as forward mode="bridge", except that > we still create the bridge ourselves, instead of requiring it to be > pre-created ? Sigh. If only that was the case :-/

> If so, I wonder if its better add a attribute 'create=yes|no' to > the <bridge> element instead ?