On 11/04/2012 12:18 PM, Gene Czarcinski wrote: > On 11/02/2012 07:46 AM, Gene Czarcinski wrote: >> Currently, when an interface (virtual network) is started, if no ip >> address is defined, then no rule is added to bemit "internal" network >> traffic. However, virtual guests can use such a network to >> communicate if a rule is added to the iptables/ip6tables rule set. >> This will work even if no ip address is defined on an interface >> (which is valid). >> >> I propose that rules of the following forms be added when an >> interface is started and removed when it is destroyed: >> >> iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT >> >> ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT >> >> If a user wants a "very private network", the user has to run the >> above commands. The proposal simply does this automatically. > It appears that this patch is not necessary since I can do this now > using nwfilters. Are you sure of that? nwfilter rules are applied to the tap device that connects the guest's interface to the bridge, while these other rules you're talking about are on the bridge itself. (BTW, note that all FORWARD rules that involve a bridge interface become irrelevant if you have net.bridge.bridge-nf-call-iptables = 0 in /etc/sysctl.conf.) > Question: I see little discussed or anything about nwfilters. Is > nwfilters an active concept or is it still included because of > legacy? Will this still work with firewalld? Still active. Works with firewalld. If you encounter a problem, you can look for stefanb in IRC - we all hang out in #virt on irc.oftc.net. As much as you're messing around with this code, you should be there too :-) -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list