On Wed, May 28, 2014 at 10:13:14AM -0400, Brian Rak wrote:
On 5/28/2014 10:10 AM, Laine Stump wrote:
Make sure you have:
/proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not
On 05/27/2014 02:46 AM, Brian Rak wrote: traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the bridge, not to the bridge itself. It may not make sense to you, but that is what's necessary for nwfilter to work. You can even look at the code:
http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/nwfilter/nwfilter_ebiptab...
You are both right and both wrong :-P The nwfilter code does need nf-call-iptables==1, but if-and-only-if the nwfilter rule specified in the XML is filtering at the IPv4/IPv6 layer protocol. Any rules which are ethernet layer don't care about these sysctl settings. See this: http://libvirt.org/formatnwfilter.html#nwfelemsRulesProto mac, vlan, stp, arp, rarp, ipv4 and ipv6 protocols are all done at the ethernet layer. tcp, udp, sctp, icmp, igmp, esp, ah, udplite (and their IPv6 variants) are all done at the IP layer. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|