libvirt / KVM/QEMU - Networks: What does "Open Network" do?
When setting up a network with libvirt & virt-manager, there is an option to choose "Open Network" as the "Network Mode" when forwarding traffic to a physical network.
What does "Open Network" mean / do? I thought it might be the same as an isolated network, but clearly that wouldn't make much sense, as there is a seperate option for that.
See example screenshot below...
1 Answer
This feature was described when it was added, in the post
[libvirt] [PATCH 1/3] network: new network forward mode 'open':
The new forward mode 'open' is just like mode='route', except that no firewall rules are added to assure that any traffic does or doesn't pass. It is assumed that either they aren't necessary, or they will be setup outside the scope of libvirt.
It means that no firewall rules will be automatically added to allow free traffic on the network.
This is also described inlibvirt: Network XML format, sectionConnectivityin a similar manner (more wordy but less clear):
6open
As with mode='route', guest network traffic will be forwarded to the physical network via the host's IP routing stack, but there will be no firewall rules added to either enable or prevent any of this traffic. When forward='open' is set, the dev attribute cannot be set (because the forward dev is enforced with firewall rules, and the purpose of forward='open' is to have a forwarding mode where libvirt doesn't add any firewall rules). This mode presumes that the local LAN router has suitable routing table entries to return traffic to this host, and that some other management system has been used to put in place any necessary firewall rules. Although no firewall rules will be added for the network, it is of course still possible to add restrictions for specific guests using nwfilter rules on the guests' interfaces.) Since 2.2.0
