On 03/13/2018 11:08 AM, Gionatan Danti wrote: > On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends on > the IP address you assigned to your network: >> >> <ip address='192.168.122.1' netmask='255.255.255.0'/> >> >> This says the default GW is 192.168.122.1/24. However, you can insert >> other routes too: >> >> <route address="192.168.222.0" prefix="24" gateway="192.168.122.2"/> ...however this wouldn't be of use to you - the routes listed in a libvirt network are routes that are added on the *host*, not on the guest. (these are used when there is a network behind a guest that the host can only access via that guest). >> >> For handling DNS, you need to focus on <dns/> element. For instance, to >> set a different forwarder than GW: >> >> <dns> >> <forwarder addr="8.8.8.8"/> >> </dns> > > For NATed/routed networks, sure. However, I have an isolated network > like that (without the "forward" element): We don't want DNS requests to be forwarded by dnsmasq from an isolated network - forwarded DNS requests and responses can be used as a clandestine medium for communicating outside the guest (we actually had a bug report about this). libvirt's virtual networks are intended to be a simple way to setup the most common networking scenario. It sounds like you're beyond that, so you probably should do your own network setup on the host outside of libvirt. A libvirt virtual network is really just the combination of a bridge device, a dnsmasq instance + config, some iptables rules, and optionally some routes. > > <network> > <name>net1</name> > <uuid>dcf5c09b-dcb6-4fd3-86b8-6312a7b94bf6</uuid> > <bridge name='virbr1' stp='on' delay='0'/> > <mac address='52:54:00:97:1b:15'/> > <domain name='TEST'/> > <ip address='192.168.10.1' netmask='255.255.255.0'> > <dhcp> > <range start='192.168.10.128' end='192.168.10.254'/> > </dhcp> > </ip> > </network> > > When the client asks for an IP via DHCP, it obtain a valid IP address > but *no* gateway. Is it the expected behavior for an isolated network? > From my understanding, network isolation is accomplished by firewall > rules in the FORWARD table, rather than by not assigning the gateway IP > address to clients. It does both of those things (no gateway combined with iptables rules to prevent traffic from being forwarded from the bridge). Why set a default gateway when 1) it can't be used and 2) it may conflict with the default gateway set on a 2nd interface in the guest that *can* be used to reach outside the host? (a common use of an isolated network is to to contain inter-guest communication between guests that have 2nd interfaces used for communication with the outside). _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
