On 07/31/2013 11:01 AM, Jorge Fábregas wrote: > That is, the first network can reach all other networks (just because it > happens to be the first one defined). Is this the intention (only > default can talk to the others but not the other way around)? *Bump* I found this excellent post by Daniel Berrange: http://www.redhat.com/archives/libvir-list/2010-June/msg00762.html ...which explains all the firewall rules that libvirt creates based on the type of network you choose. Reading this I get the idea that, the intention for NAT virtual-networks, is to allow them to communicate with ANY other virtual-network on your system (since there's an allow rule for traffic coming out of it). In a nutshell, the problem is that there's a lack of consistency on how NAT virtual-networks communicate between each other. I think the traffic between these subnets should be either allowed or denied. Right now we have a mixed scenario where the decision to allow or deny the traffic is merely based on what position, of the firewall rules, your virtual-network happens to be. Here's what I mean: http://fpaste.org/30485/ Network 0 can reach any network due to line #3 Network 1 can only reach the networks defined below it (due to line #10) Network 1 can't reach Network 0 due to line #5 Network 2 can't reach any of the above networks due to #line 5 & 12 (reach = "initiate new connections") Summary: (Based on the order of firewall rules): virtual-networks can successfully initiate new connections to the networks defined below it but can't with networks defined above it. Comments are welcome. Thanks! Jorge _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
