On 08/13/2013 07:07 AM, Jorge Fábregas wrote:
On 08/13/2013 06:31 AM, Laine Stump wrote:
Correct. That is a known problem since 2008:
https://bugzilla.redhat.com/show_bug.cgi?id=453580 Thanks Laine for confirming it is a known issue. I googled it a lot but couldn't find that bugzilla entry.
Do you know if this is still the case with the upcoming Fedora 20 & firewalld? (these rules are still being created)?
There hasn't been any substantial change in the iptables rules added by libvirt for virtual networks in a long time; libvirt's firewalld usage is in the form of sending firewall-cmd exactly the same rules that were previously sent directly to iptables.
Due to the large amount of work required to fix it relative to the apparent demand for a fix, it has remained unchanged. I'm wondering if it really takes a lot of work. I think that by just changing the order of the rules everything gets fixed. If we group the rules *by functionality* instead of *by virtual-network* we can accomplish a particular goal (drop communication between virtual-networks or allow them):
Sure, that's simple if you're going to start/stop all virtual networks together as a group. It's more complicated if you want each network to operate independently of the other (i.e. t obe able to start/stop each network without affecting the others). Possibly the way to do that would be to create separate chains for the allow and block. You're welcome to write a patch for it :-)
(Notice that I did not insert or delete any rule; just changed the order):
- Allow communication between virtual-networks (regardless of direction): http://fpaste.org/31729/
- Block communication between virtual-networks (except for the LAN): http://fpaste.org/31731/
Note that if you want to have multiple virtual networks that can communicate with each other, you can define all the networks as <forward mode='route'/> (which gives them iptables rulesets that allow all access in both directions), then add in appropriate "blanket" NAT rules yourself in the host's iptables config. Right, that's what I'm using now: just had to add a static route to my home router in order for them to be able to use the net.
Yes, that's another option, for those that have control over the routing tables of their network.