[libvirt-users] Problems with nwfilters/iptables

Hi all, I've got a problem with nwfilters/iptables. For one of my guest's interfaces, I have established the following filter: --8<---------------cut here---------------start------------->8--- <filter name='p-mgmt' chain='root'> <uuid>94fdd15b-b380-ba8c-6685-91206829adc7</uuid> <filterref filter='clean-traffic'/> <rule action='accept' direction='in' priority='500'> <tcp dstportstart='22'/> </rule> <rule action='drop' direction='inout' priority='1000'> <all/> </rule> </filter> </filter>--8<---------------cut here---------------end--------------->8--- The intent is to allow incoming ssh only. However, ssh from my host to my guest does not work. This is the relevant iptables excerpt with the filter given as above: --8<---------------cut here---------------start------------->8--- root:~# iptables -L HI-vnet5 Chain HI-vnet5 (1 references) target prot opt source destination RETURN tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ctdir ORIGINAL DROP all -- anywhere anywhere root:~# --8<---------------cut here---------------end--------------->8--- The chain relations are: INPUT -> libvirt-host-in -> HI-vnet5. The interesting thing is: If I insert the same rule again, but with ctdir reversed, everything works just fine: --8<---------------cut here---------------start------------->8--- root:~# iptables -I HI-vnet5 1 -p tcp --sport 22 -m state --state ESTABLISHED -m conntrack --ctdir REPLY -j RETURN root:~# iptables -L HI-vnet5 Chain HI-vnet5 (1 references) target prot opt source destination RETURN tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ctdir REPLY RETURN tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ctdir ORIGINAL DROP all -- anywhere anywhere root:~# --8<---------------cut here---------------end--------------->8--- I am not an iptables expert, but if my guest's ssh daemon replies to my host's requests (and thus the packets are traversing my host's INPUT chain), I would guess that the direction is "REPLY" rather than "ORIGINAL". I'm really stuck with this and it would be really great if someone could clarify things to me! I'm running Ubuntu 12.04 (kernel 3.2.0-20-generic) coming with libvirt 0.9.8-2ubuntu1. Best, Nicolai