Re: [libvirt] [PATCH] nwfilter: enable bridge netfilter calls via proc filesystem
On Wed, Sep 22, 2010 at 02:19:31PM -0400, Stefan Berger wrote:
On a recent installation of FC13, the filtering of IP/IPv6 using
iptables/ip6tables traffic did not work since the proc filesystem
entries /proc/sys/net/bridge/bridge-nf-call-iptables and
/proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and
no traffic went into the FORWARD chain. The patch below makes sure that
if iptables or ip6tables are being used by the nwfilter driver that a
'1' is written into the relevant proc filesystem entry so that the
traffic goes into the FORWARD chain.
NACK to this. We need to figure out how to make this filtering
work with them set to 0. The change to set them to 0 by default
is explicitly done for the benefit of virtualization, otherwise
guest traffic gets blocked by regular host firewall rules which
is not desirable. eg run system-config-firewall and block ssh
port on the host, and you've blocked it on all the guests too :-(
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|