Re: [libvirt-users] nwfilter usage

On 5/28/2014 10:10 AM, Laine Stump wrote: > On 05/27/2014 02:46 AM, Brian Rak wrote: >> Make sure you have: >> >> /proc/sys/net/bridge/bridge-nf-call-iptables = 1 > That doesn't make sense. bridge-nf-call-iptables controls whether or not > traffic going across a Linux host bridge device will be sent through > iptables, but the rules created by nwfilter are applied to the "vnetX" > tap devices that connect the guest to the bridge, not to the bridge > itself. It may not make sense to you, but that is what's necessary for nwfilter to work. You can even look at the code: http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/nwfilter/nwfilter_ebip...