On Thu, Apr 05, 2007 at 08:28:57AM +0100, Mark McLoughlin wrote:
On Thu, 2007-04-05 at 02:44 +0100, Daniel P. Berrange wrote:
I guess the two main differences are 1) avoid physdev based rules
because they don't work with net.bridge.bridge-nf-call-iptables = 1 and
2) use network address based rules which I avoided because of pure
superstition and the feeling that IP based matching on a bridge was just
ugly.
Considering point #2 - I think it is not entirely unreasonable. We let VMs
on the bridge to use any IP addresses they like within the context of the
virtual network for VM <-> VM communication. Although we'll hand out adddress
via DHCP from the official range, they can also be manually configured with
arbitrary addresses. For routing purposes we need to provide an IP address
for the 'gateway router' (ie the Dom0 bridge device), and thus it is good
practice to only route traffic associated with the network/mask of the
router. If we were filtering traffic within the bridge based on IP, that
would be ugly, but the forwarding / postrouting rules are concerned with
traffic which is leaving the bridge & thus being routed, so IP based
matching is good here.
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules:
http://search.cpan.org/~danberr/ -=|
|=- Projects:
http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|