
Le 03/28/2013 16:59, Laine Stump wrote :
On 03/25/2013 05:12 PM, Benoit Friry wrote:
On 03/25/2013 16:21, Eric Blake wrote:
On 03/25/2013 03:09 AM, Benoit Friry wrote:
- starting default network (nat) adds rules in netfilter. I have not seen how to create another network nat conf without calling clean-traffic nwfilter (it is not explicit in network XML file).
nwfilter rules are applied to individual *guest interfaces* by adding a <filterref> element to the guest's <interface> element. They are completely unrelated to the netfilter rules added when a libvirt network is started.
Indeed, I thought the added rules where from nwfilter. I did not checked precisely. I did not suspect there were another set of rules for networks.
The rules added for a libvirt virtual network change depending on the setting of "<forward mode='xxx'>" in the network config
1) for <forward mode='route'> a set of rules allowing all traffic in both directions is added
2) for <forward mode='nat'> rules are added to allow outbound traffic from the guests to any destination, prevent inbound traffic from anywhere except a) the host and b) other guests attached to the same network, AND to mangle the source address of packets outbound to places beyond the host (so that they appear to be coming from the host itself).
3) if there is *no* <forward> (aka an "isolated" network), rules are added to allow traffic only between guests on the same network and the host, but block all other traffic.
The rules for each of these cases is hardcoded (and also very simplistic) and can't be configured in any more finely grained manner.
It's a pity. There is nothing between all hardcoded rules and all manual rules (in mode='bridge'). Manual rules are to be managed outside. It would have been nice to be able to start/stop specific rules from libvirt, linked to network start/stop commands. Thanks for the explanation.
- to be able to change the templates, for instance: - not including any nwfilter when creating a network, - script called when adding a file in a dir pool, - and so on. Another example: what if I want to use BIND9 instead of dnsmasq? BIND9 has a dns64 capability, dnsmasq has not.
dnsmasq, radvd, brctl are hardcoded. Don't you think it would be better to call a helper script, that can be tweaked by admins?
No. That would be a nightmare to support; we specifically avoid doing something that free-form. If you would like a network driver that uses different utilities in place of dnsmasq and radvd, the proper way to do that is with a different network driver to be built in place of src/network/bridge_driver.c.
Ouch. Isn't it overkill? I can manage some scripts. I will not manage patches, to be rebuild with every new release. Few organization can afford such thing! What about a overwrite conf file? Hardcoded conf by default, but one can change some element. Support only when no overwrited conf.
But before you go to that trouble, are you certain that dnsmasq still doesn't have what you need? Recent versions of libvirt (since 1.0.1) have support for many new IPv6 features of dnsmasq 2.66+, including DHCP6, and I think dnsmasq has had support for IPv6 DNS resolution for quite a long time. (I couldn't figure out from a quick google search whether or not dnsmasq directly supports DNS64, or if that may be unnecessary if the dns server upstream from dnsmasq has DNS64 support.)
AFAIK, dnsmasq has no DNS64 support. Thanks, Benoit