On 9/27/19 6:16 PM, Daniel P. Berrangé wrote: > From: Malina Salina <malina.salina@xxxxxxxxxxxxxx> > > While the default iptables setup used by Fedora/RHEL distros > only restricts traffic on the INPUT and/or FORWARD rules, > some users might have custom firewalls that restrict the > OUTPUT rules too. > > These can prevent DHCP/DNS/TFTP responses from dnsmasq > from reaching the guest VMs. We should thus whitelist > these protocols in the OUTPUT chain, as well as the > INPUT chain. > > Signed-off-by: Malina Salina <malina.salina@xxxxxxxxxxxxxx> > > Initial patch then modified to add unit tests and IPv6 > support > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > --- > src/libvirt_private.syms | 2 + > src/network/bridge_driver_linux.c | 29 ++++++++++--- > src/util/viriptables.c | 36 ++++++++++++++++ > src/util/viriptables.h | 8 ++++ > .../nat-default-linux.args | 21 ++++++++++ > .../nat-ipv6-linux.args | 42 +++++++++++++++++++ > .../nat-many-ips-linux.args | 21 ++++++++++ > .../nat-no-dhcp-linux.args | 42 +++++++++++++++++++ > .../nat-tftp-linux.args | 28 +++++++++++++ > .../route-default-linux.args | 21 ++++++++++ > 10 files changed, 244 insertions(+), 6 deletions(-) Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx> Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
