Hi, libvirts nwfilter module can achieve that. I'm currently working on opt-out patches to disable that functionality if wished. I also don't use firewalld. It's both paternalizing and annoying and takes away user flexilibity in exchange for nothing. anyways Check the nwfilter page to write own filters for the beginning: https://libvirt.org/formatnwfilter.html#nwfwrite some more info: https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... regards Am Donnerstag, den 30.05.2019, 21:44 -0400 schrieb Joshua Kramer:
Hello All-
I've looked in several places and haven't found an answer to this question: is it possible to have libvirt add custom rules to iptables for virtual network interfaces? I took a look at the "Firewall and Network Filtering in Libvirt" page and it seems overly complicated for what I want to do.
Given an interface virbr2 and its network 192.168.4.0/24, libvirt installs the following rules in iptables. Essentially, these rules will drop any packets for the interface virbr2 where the source or destination is not on the 192.168.4.0/24 network.
-P FORWARD ACCEPT -A FORWARD -d 192.168.4.0/24 -o virbr2 -j ACCEPT -A FORWARD -s 192.168.4.0/24 -i virbr2 -j ACCEPT -A FORWARD -i virbr2 -o virbr2 -j ACCEPT -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
I have a VPN server on the 4/24 network- and it hands out addresses in the 8/24 network. So I would like libvirt to also create the following rules in iptables:
-A FORWARD -d 192.168.8.0/24 -o virbr2 -j ACCEPT -A FORWARD -s 192.168.8.0/24 -i virbr2 -j ACCEPT
I've tried creating direct rules in firewalld for the FORWARD_direct chain. Firewalld happily creates those rules, but they are never reached, because they fall AFTER the libvirt rules. I've also tried creating an IP address on the virbr2 interface in the 8/24 network, but that doesn't work either. How can I get this done?
Thanks!! -JK
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users