On 03/13/2018 11:08 AM, Gionatan Danti wrote:
> On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends on
> the IP address you assigned to your network:
>> <ip address='' netmask=''/>
>> This says the default GW is However, you can insert
>> other routes too:
>> <route address="" prefix="24" gateway=""/>

...however this wouldn't be of use to you - the routes listed in a
libvirt network are routes that are added on the *host*, not on the
guest. (these are used when there is a network behind a guest that the
host can only access via that guest).

>> For handling DNS, you need to focus on <dns/> element. For instance, to
>> set a different forwarder than GW:
>> <dns>
>>    <forwarder addr=""/>
>> </dns>
> For NATed/routed networks, sure. However, I have an isolated network
> like that (without the "forward" element):

We don't want DNS requests to be forwarded by dnsmasq from an isolated
network - forwarded DNS requests and responses can be used as a
clandestine medium for communicating outside the guest (we actually had
a bug report about this).

libvirt's virtual networks are intended to be a simple way to setup the
most common networking scenario. It sounds like you're beyond that, so
you probably should do your own network setup on the host outside of
libvirt. A libvirt virtual network is really just the combination of a
bridge device, a dnsmasq instance + config, some iptables rules, and
optionally some routes.

> <network>
>   <name>net1</name>
>   <uuid>dcf5c09b-dcb6-4fd3-86b8-6312a7b94bf6</uuid>
>   <bridge name='virbr1' stp='on' delay='0'/>
>   <mac address='52:54:00:97:1b:15'/>
>   <domain name='TEST'/>
>   <ip address='' netmask=''>
>     <dhcp>
>       <range start='' end=''/>
>     </dhcp>
>   </ip>
> </network>
> When the client asks for an IP via DHCP, it obtain a valid IP address
> but *no* gateway. Is it the expected behavior for an isolated network?
> From my understanding, network isolation is accomplished by firewall
> rules in the FORWARD table, rather than by not assigning the gateway IP
> address to clients.

It does both of those things (no gateway combined with iptables rules to
prevent traffic from being forwarded from the bridge). Why set a default
gateway when 1) it can't be used and 2) it may conflict with the default
gateway set on a 2nd interface in the guest that *can* be used to reach
outside the host? (a common use of an isolated network is to to contain
inter-guest communication between guests that have 2nd interfaces used
for communication with the outside).

libvirt-users mailing list

Reply via email to