On 11/04/2012 10:18 AM, Gene Czarcinski wrote: > On 11/02/2012 07:46 AM, Gene Czarcinski wrote: >> Currently, when an interface (virtual network) is started, if no ip >> address is defined, then no rule is added to bemit "internal" network >> traffic. However, virtual guests can use such a network to >> communicate if a rule is added to the iptables/ip6tables rule set. >> This will work even if no ip address is defined on an interface (which >> is valid). >> >> I propose that rules of the following forms be added when an interface >> is started and removed when it is destroyed: >> >> iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT >> >> ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT I'm not as familiar with this as others, so I'll defer on whether this makes sense. >> >> If a user wants a "very private network", the user has to run the >> above commands. The proposal simply does this automatically. > It appears that this patch is not necessary since I can do this now > using nwfilters. > > Question: I see little discussed or anything about nwfilters. Is > nwfilters an active concept or is it still included because of legacy? > Will this still work with firewalld? But this I can answer. Yes, nwfilters is still an actively maintained concept, and yes, it is supposed to work with firewalld. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list