Hi, libvirts nwfilter module can achieve that. I'm currently working on opt-out patches to disable that functionality if wished. I also don't use firewalld. It's both paternalizing and annoying and takes away user flexilibity in exchange for nothing. anyways Check the nwfilter page to write own filters for the beginning: https://libvirt.org/formatnwfilter.html#nwfwrite some more info: https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering regards Am Donnerstag, den 30.05.2019, 21:44 -0400 schrieb Joshua Kramer: > Hello All- > > I've looked in several places and haven't found an answer to this > question: is it possible to have libvirt add custom rules to iptables > for virtual network interfaces? I took a look at the "Firewall and > Network Filtering in Libvirt" page and it seems overly complicated > for > what I want to do. > > Given an interface virbr2 and its network 192.168.4.0/24, libvirt > installs the following rules in iptables. Essentially, these rules > will drop any packets for the interface virbr2 where the source or > destination is not on the 192.168.4.0/24 network. > > -P FORWARD ACCEPT > -A FORWARD -d 192.168.4.0/24 -o virbr2 -j ACCEPT > -A FORWARD -s 192.168.4.0/24 -i virbr2 -j ACCEPT > -A FORWARD -i virbr2 -o virbr2 -j ACCEPT > -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable > > I have a VPN server on the 4/24 network- and it hands out addresses > in > the 8/24 network. So I would like libvirt to also create the > following rules in iptables: > > -A FORWARD -d 192.168.8.0/24 -o virbr2 -j ACCEPT > -A FORWARD -s 192.168.8.0/24 -i virbr2 -j ACCEPT > > I've tried creating direct rules in firewalld for the FORWARD_direct > chain. Firewalld happily creates those rules, but they are never > reached, because they fall AFTER the libvirt rules. I've also tried > creating an IP address on the virbr2 interface in the 8/24 network, > but that doesn't work either. How can I get this done? > > Thanks!! > -JK > > _______________________________________________ > libvirt-users mailing list > libvirt-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvirt-users _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
