On 08/06/2013 06:38 PM, Jorge Fábregas wrote:
On 07/31/2013 11:01 AM, Jorge Fábregas wrote:
That is, the first network can reach all other networks (just because it happens to be the first one defined). Is this the intention (only default can talk to the others but not the other way around)? *Bump*
I found this excellent post by Daniel Berrange:
http://www.redhat.com/archives/libvir-list/2010-June/msg00762.html
...which explains all the firewall rules that libvirt creates based on the type of network you choose. Reading this I get the idea that, the intention for NAT virtual-networks, is to allow them to communicate with ANY other virtual-network on your system (since there's an allow rule for traffic coming out of it).
In a nutshell, the problem is that there's a lack of consistency on how NAT virtual-networks communicate between each other. I think the traffic between these subnets should be either allowed or denied. Right now we have a mixed scenario where the decision to allow or deny the traffic is merely based on what position, of the firewall rules, your virtual-network happens to be.
Here's what I mean:
Network 0 can reach any network due to line #3
Network 1 can only reach the networks defined below it (due to line #10) Network 1 can't reach Network 0 due to line #5
Network 2 can't reach any of the above networks due to #line 5 & 12
(reach = "initiate new connections")
Summary: (Based on the order of firewall rules): virtual-networks can successfully initiate new connections to the networks defined below it but can't with networks defined above it.
Correct. That is a known problem since 2008: https://bugzilla.redhat.com/show_bug.cgi?id=453580 Due to the large amount of work required to fix it relative to the apparent demand for a fix, it has remained unchanged. Note that if you want to have multiple virtual networks that can communicate with each other, you can define all the networks as <forward mode='route'/> (which gives them iptables rulesets that allow all access in both directions), then add in appropriate "blanket" NAT rules yourself in the host's iptables config.
Comments are welcome.
Thanks! Jorge
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users