[libvirt-users] nwfilter usage
Laine Stump
laine at laine.org
Wed May 28 14:30:14 UTC 2014
On 05/28/2014 05:13 PM, Brian Rak wrote:
>
> On 5/28/2014 10:10 AM, Laine Stump wrote:
>> On 05/27/2014 02:46 AM, Brian Rak wrote:
>>> Make sure you have:
>>>
>>> /proc/sys/net/bridge/bridge-nf-call-iptables = 1
>> That doesn't make sense. bridge-nf-call-iptables controls whether or not
>> traffic going across a Linux host bridge device will be sent through
>> iptables, but the rules created by nwfilter are applied to the "vnetX"
>> tap devices that connect the guest to the bridge, not to the bridge
>> itself.
> It may not make sense to you, but that is what's necessary for
> nwfilter to work. You can even look at the code:
>
> http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/nwfilter/nwfilter_ebiptables_driver.c;h=5cb0b74aaec2a659fb6e4b61502ef1322131c056;hb=HEAD#l3127
>
Once again showing how much attention I pay to details :-)
It still doesn't make sense, but you are correct. (and to think that
virt people have spent so much time complaining that the bridge-nf-*
settings should be *off*...)
More information about the libvirt-users
mailing list