On Fri, Aug 12, 2016 at 11:19:00AM -0400, Laine Stump wrote: > On 08/12/2016 03:52 AM, Daniel P. Berrange wrote: > > On Thu, Aug 11, 2016 at 10:41:45PM -0400, Laine Stump wrote: > > > The new forward mode 'open' is just like mode='route', except that no > > > firewall rules are added to assure that any traffic does or doesn't > > > pass. It is assumed that either they aren't necessary, or they will be > > > setup outside the scope of libvirt. > > > > > > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=846810 > > > --- > > > docs/formatnetwork.html.in | 22 ++++++++++++ > > > docs/schemas/network.rng | 1 + > > > src/conf/network_conf.c | 25 +++++++++++-- > > > src/conf/network_conf.h | 1 + > > > src/network/bridge_driver.c | 41 +++++++++++++++------- > > > tests/networkxml2confdata/open-network.conf | 11 ++++++ > > > tests/networkxml2confdata/open-network.xml | 9 +++++ > > > tests/networkxml2conftest.c | 1 + > > > .../open-network-with-forward-dev.xml | 9 +++++ > > > tests/networkxml2xmlin/open-network.xml | 9 +++++ > > > tests/networkxml2xmlout/open-network.xml | 9 +++++ > > > tests/networkxml2xmltest.c | 2 ++ > > > 12 files changed, 125 insertions(+), 15 deletions(-) > > > create mode 100644 tests/networkxml2confdata/open-network.conf > > > create mode 100644 tests/networkxml2confdata/open-network.xml > > > create mode 100644 tests/networkxml2xmlin/open-network-with-forward-dev.xml > > > create mode 100644 tests/networkxml2xmlin/open-network.xml > > > create mode 100644 tests/networkxml2xmlout/open-network.xml > > > > > > diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in > > > index a9226e5..12d1bed 100644 > > > --- a/docs/formatnetwork.html.in > > > +++ b/docs/formatnetwork.html.in > > > @@ -260,6 +260,28 @@ > > > <span class="since">Since 0.4.2</span> > > > </dd> > > > + <dt><code>open</code></dt> > > > + <dd> > > > + As with mode='route', guest network traffic will be > > > + forwarded to the physical network via the host's IP > > > + routing stack, but there will be no firewall rules added > > > + to either enable or prevent any of this traffic. When > > > + forward='open' is set, the <code>dev</code> attribute > > > + cannot be set (because the forward dev is enforced with > > > + firewall rules, and the purpose of forward='open' is to > > > + have a forwarding mode where libvirt doesn't add any > > > + firewall rules). This mode presumes that the local LAN > > > + router has suitable routing table entries to return > > > + traffic to this host, and that some other management > > > + system has been used to put in place any necessary > > > + firewall rules. Although no firewall rules will be added > > > + for the network, it is of course still possible to add > > > + restrictions for specific guests using > > > + <a href="formatnwfilter.html">nwfilter rules</a> on the > > > + guests' interfaces.) > > > + <span class="since">Since 2.2.0</span> > > > + </dd> > > > + > > Isn't this basically the same as forward mode="bridge", except that > > we still create the bridge ourselves, instead of requiring it to be > > pre-created ? > > Sigh. If only that was the case :-/ [snip] > > If so, I wonder if its better add a attribute 'create=yes|no' to > > the <bridge> element instead ? ok, ignore my suggestion. There's nothing wrong with what you've proposed. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list