On 08/13/2013 06:31 AM, Laine Stump wrote: > Correct. That is a known problem since 2008: > > https://bugzilla.redhat.com/show_bug.cgi?id=453580 Thanks Laine for confirming it is a known issue. I googled it a lot but couldn't find that bugzilla entry. Do you know if this is still the case with the upcoming Fedora 20 & firewalld? (these rules are still being created)? > Due to the large amount of work required to fix it relative to the > apparent demand for a fix, it has remained unchanged. I'm wondering if it really takes a lot of work. I think that by just changing the order of the rules everything gets fixed. If we group the rules *by functionality* instead of *by virtual-network* we can accomplish a particular goal (drop communication between virtual-networks or allow them): (Notice that I did not insert or delete any rule; just changed the order): - Allow communication between virtual-networks (regardless of direction): http://fpaste.org/31729/ - Block communication between virtual-networks (except for the LAN): http://fpaste.org/31731/ > Note that if you want to have multiple virtual networks that can > communicate with each other, you can define all the networks as <forward > mode='route'/> (which gives them iptables rulesets that allow all access > in both directions), then add in appropriate "blanket" NAT rules > yourself in the host's iptables config. Right, that's what I'm using now: just had to add a static route to my home router in order for them to be able to use the net. Again, thanks Laine for the feedback! -- Jorge _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
