On Wed, Sep 22, 2010 at 03:35:54PM -0400, Stefan Berger wrote: > On 09/22/2010 02:49 PM, Daniel P. Berrange wrote: > >On Wed, Sep 22, 2010 at 02:19:31PM -0400, Stefan Berger wrote: > >> On a recent installation of FC13, the filtering of IP/IPv6 using > >>iptables/ip6tables traffic did not work since the proc filesystem > >>entries /proc/sys/net/bridge/bridge-nf-call-iptables and > >>/proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and > >>no traffic went into the FORWARD chain. The patch below makes sure that > >>if iptables or ip6tables are being used by the nwfilter driver that a > >>'1' is written into the relevant proc filesystem entry so that the > >>traffic goes into the FORWARD chain. > >NACK to this. We need to figure out how to make this filtering > >work with them set to 0. The change to set them to 0 by default > >is explicitly done for the benefit of virtualization, otherwise > >guest traffic gets blocked by regular host firewall rules which > >is not desirable. eg run system-config-firewall and block ssh > >port on the host, and you've blocked it on all the guests too :-( > > > The ssh port blocking for the host is a rule that goes into the INPUT > table. That is independent of what libvirt does with the FORWARD table > and this host rule would not influence the guest rules and vice versa. > Traffic destined to bridged guests will NOT go through the INPUT table, > only traffic from guests towards their own host will go through it.
It depends on the version of RHEL/Fedora. Previous system-config-firewall would put the same rules on INPUT *and* FORWARD chain. The newer s-c-f puts a generic 'REJECT' rule on the FORWARD table. Either way, if you have bridge-nf-call-iptables=1, then all bridged guest traffic is significantly impacted. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list