On Thu, Apr 05, 2007 at 08:28:57AM +0100, Mark McLoughlin wrote: > On Thu, 2007-04-05 at 02:44 +0100, Daniel P. Berrange wrote: > > I guess the two main differences are 1) avoid physdev based rules > because they don't work with net.bridge.bridge-nf-call-iptables = 1 and > 2) use network address based rules which I avoided because of pure > superstition and the feeling that IP based matching on a bridge was just > ugly. Considering point #2 - I think it is not entirely unreasonable. We let VMs on the bridge to use any IP addresses they like within the context of the virtual network for VM <-> VM communication. Although we'll hand out adddress via DHCP from the official range, they can also be manually configured with arbitrary addresses. For routing purposes we need to provide an IP address for the 'gateway router' (ie the Dom0 bridge device), and thus it is good practice to only route traffic associated with the network/mask of the router. If we were filtering traffic within the bridge based on IP, that would be ugly, but the forwarding / postrouting rules are concerned with traffic which is leaving the bridge & thus being routed, so IP based matching is good here. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|