virt-manager (or libvirt) fails to set proper iptables routing rules for a virtual network

Bug #1263534 reported by kimj
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
virt-manager (Ubuntu)
New
Undecided
Unassigned

Bug Description

I needed to access a service (RDP) running on a kvm guest, but I didn't want to have to modify iptables nat rules or allow the guest on my local network by bridging it on a phisical interface, so I created a virtual network, let's call it 'VirtNetLO50', with address 192.168.100.0/24 and routing torwards the interface 'lo50'

I had created the lo:50 alias beforehand, as 192.168.50.1/24

I expected virt-manager/libvirt to create iptables rules allowing traffic to said interface, but I then discovered that guest connected to the VirtNet50 virtual network had routing torward all my networks and interfaces.

After further controls, it appears that virt-manager/libvirt had indeed created some iptables rules:

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.100.0/24
ACCEPT all -- 192.168.100.0/24 anywhere

those rules are, in my hopinion, too broad. virt-manager gui allows me to select which interface/network route to, and I'd expect to be able to route ONLY with that network, not with 'anywhere'

a more reasonable roule should have been:

target prot opt source destination
ACCEPT all -- 192.168.50/24 192.168.100.0/24
ACCEPT all -- 192.168.100.0/24 192.168.50/24

Revision history for this message
kimj (emailadhoc) wrote :

or, since that would require to be aware of the interface configuration and subsequent variation, it would have made sense making use of iptables' --in-interface and --out-interface parameters

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.