On 05/28/2014 05:13 PM, Brian Rak wrote:
On 5/28/2014 10:10 AM, Laine Stump wrote:
Make sure you have:
/proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not
On 05/27/2014 02:46 AM, Brian Rak wrote: traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the bridge, not to the bridge itself. It may not make sense to you, but that is what's necessary for nwfilter to work. You can even look at the code:
http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/nwfilter/nwfilter_ebiptab...
Once again showing how much attention I pay to details :-) It still doesn't make sense, but you are correct. (and to think that virt people have spent so much time complaining that the bridge-nf-* settings should be *off*...)