On 08/13/2013 07:07 AM, Jorge Fábregas wrote: > On 08/13/2013 06:31 AM, Laine Stump wrote: >> Correct. That is a known problem since 2008: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=453580 > Thanks Laine for confirming it is a known issue. I googled it a lot but > couldn't find that bugzilla entry. > > Do you know if this is still the case with the upcoming Fedora 20 & > firewalld? (these rules are still being created)? There hasn't been any substantial change in the iptables rules added by libvirt for virtual networks in a long time; libvirt's firewalld usage is in the form of sending firewall-cmd exactly the same rules that were previously sent directly to iptables. > >> Due to the large amount of work required to fix it relative to the >> apparent demand for a fix, it has remained unchanged. > I'm wondering if it really takes a lot of work. I think that by just > changing the order of the rules everything gets fixed. If we group the > rules *by functionality* instead of *by virtual-network* we can > accomplish a particular goal (drop communication between > virtual-networks or allow them): Sure, that's simple if you're going to start/stop all virtual networks together as a group. It's more complicated if you want each network to operate independently of the other (i.e. t obe able to start/stop each network without affecting the others). Possibly the way to do that would be to create separate chains for the allow and block. You're welcome to write a patch for it :-) > > (Notice that I did not insert or delete any rule; just changed the order): > > - Allow communication between virtual-networks (regardless of direction): > http://fpaste.org/31729/ > > - Block communication between virtual-networks (except for the LAN): > http://fpaste.org/31731/ > >> Note that if you want to have multiple virtual networks that can >> communicate with each other, you can define all the networks as <forward >> mode='route'/> (which gives them iptables rulesets that allow all access >> in both directions), then add in appropriate "blanket" NAT rules >> yourself in the host's iptables config. > Right, that's what I'm using now: just had to add a static route to my > home router in order for them to be able to use the net. Yes, that's another option, for those that have control over the routing tables of their network. _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users