[PATCH] Re: iptables masquerade rule overexpansive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel P. Berrange wrote:
Instead of having the separate ACCEPT rule I think it would be sufficient
to replace  the 0.0.0.0/0 target with  ! 192.168.65.0/24, eg

iptables -t nat -A POSTROUTING
--source 192.168.65.0/24 --destination ! 192.168.65.0/24
                -j MASQUERADE

so it will masquerade traffic which is leaving the ip range of the virtual
network only, and leave ip traffic between the VMs & VM<->host alone.

I considered that -- but while it will work as long as the default forward rule is ACCEPT, it could result in hosts being unable to communicate with each other if the default rule for the table is otherwise.

That said, it's certainly easier... patch attached.
diff -ru libvirt-0.4.0.orig/src/iptables.c libvirt-0.4.0/src/iptables.c
--- libvirt-0.4.0.orig/src/iptables.c	2007-12-12 07:30:49.000000000 -0600
+++ libvirt-0.4.0/src/iptables.c	2008-03-27 15:31:29.000000000 -0500
@@ -1047,6 +1047,7 @@
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--out-interface", physdev,
                                      "--jump", "MASQUERADE",
                                      NULL);
@@ -1054,6 +1055,7 @@
         return iptablesAddRemoveRule(ctx->nat_postrouting,
                                      action,
                                      "--source", network,
+                                     "--destination", "!", network,
                                      "--jump", "MASQUERADE",
                                      NULL);
     }
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]