Currently, when an interface (virtual network) is started, if no ip
address is defined, then no rule is added to bemit "internal" network
traffic. However, virtual guests can use such a network to communicate
if a rule is added to the iptables/ip6tables rule set. This will work
even if no ip address is defined on an interface (which is valid).
I propose that rules of the following forms be added when an interface
is started and removed when it is destroyed:
iptables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
ip6tables -I FORWARD 1 -i virbr18 -o virbr18 -j ACCEPT
If a user wants a "very private network", the user has to run the above
commands. The proposal simply does this automatically.
Gene
--
libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list
