On 03/27/2013 04:00 PM, Gene Czarcinski wrote: > If an IPv4 address is *not* specified, then the IPv4 network is > isolated and, by default, internal (internal to the specific > interface) IPv4 routing is enabled.. Define "enable IPv4 routing" ipv4 forwarding is not explicitly enabled in this case, but guests connected to the bridge can talk to each other. > > If an IPv6 address is *not* specified, then the IPv6 network is > isolated and, by default, internal IPv6 routing is disabled but can be > enabled if ipv6='yes' is specified on <network>. Correct (but you knew this better than me :-) > > If an IPv6 address is specified, then it is routed. Define "routed". If there is no <forward> element, then rules are added to reject any traffic that tries to be forwarded beyond the bridge, or forwarded into the bridge from outside. However, IPv6 traffic between interfaces directly connected to the bridge (i.e. the guests) and the bridge itself is allowed. > > If an IPv4 address is specified, then it can be > Network-Address-Translated or routed. Not having a <forward> > explicitly specified does not mean that a route is not established. Do you mean the direct route for the bridge's own subnet? If there is no <forward>, then the rules added by networkAddGeneralIptablesRules will be in effect - aside from allowing receive of dhcp, dns, and possibly tftp to the host from guests (and ignoring inter-guest traffic), these rules will reject attempts to forward into or out of the bridge. > > > Do I understand thing correctly? > Not sure. Did what I said match up with what you understand? :-) -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list