Daniel P. Berrange wrote:
Instead of having the separate ACCEPT rule I think it would be sufficient
to replace the 0.0.0.0/0 target with ! 192.168.65.0/24, eg
iptables -t nat -A POSTROUTING
--source 192.168.65.0/24
--destination ! 192.168.65.0/24
-j MASQUERADE
so it will masquerade traffic which is leaving the ip range of the virtual
network only, and leave ip traffic between the VMs & VM<->host alone.
I considered that -- but while it will work as long as the default
forward rule is ACCEPT, it could result in hosts being unable to
communicate with each other if the default rule for the table is otherwise.
That said, it's certainly easier... patch attached.
diff -ru libvirt-0.4.0.orig/src/iptables.c libvirt-0.4.0/src/iptables.c
--- libvirt-0.4.0.orig/src/iptables.c 2007-12-12 07:30:49.000000000 -0600
+++ libvirt-0.4.0/src/iptables.c 2008-03-27 15:31:29.000000000 -0500
@@ -1047,6 +1047,7 @@
return iptablesAddRemoveRule(ctx->nat_postrouting,
action,
"--source", network,
+ "--destination", "!", network,
"--out-interface", physdev,
"--jump", "MASQUERADE",
NULL);
@@ -1054,6 +1055,7 @@
return iptablesAddRemoveRule(ctx->nat_postrouting,
action,
"--source", network,
+ "--destination", "!", network,
"--jump", "MASQUERADE",
NULL);
}
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list