There is a bug in netcf-libs(https://bugzilla.redhat.com/show_bug.cgi?id=651032), which automatically sets "-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT " if /proc/sys/net/bridge/bridge-nf-call-iptables == 1. I hit the bug last week, which drove me crazy... On Wed, Mar 2, 2011 at 1:36 PM, Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> wrote: > On 03/01/2011 06:03 PM, Shi Jin wrote: >> >> Hi there, >> >> I have been testing the Network Filter [1] feature of libvirt with KVM on >> RHEL-5.6 and RHEL-6. On RHEL-5.6, it works well except the $IP variable is >> not supported thus cannot use the clean-filter. >> >> The major problem I found on RHEL-6 is that the iptables rules introduced >> by nwfilter does not prevent any traffic. The problem is that all traffic >> going to the VM virtual NIC interface goes through the INPUT chain of the >> iptables instead of the supposed-to-be FORWARD chain (this is what the >> nwfilter rules are working on) so that none of the rules have any effect. >> >> I am not sure whether this is a libvirt problem or iptables problem. But >> it seems to me that changing from RHEL-5.6 to RHEL-6, the network traffic >> works differently. >> >> Has anyone had similar experience? Any suggestion or comments are welcome. > > The libvirt log file probably would tell you something like this here: > > To enable iptables filtering for the VM do 'echo 1 > > /proc/sys/net/bridge/bridge-nf-call-iptables'. > > Try that command and it should work. It became necessary due to changed > default Linux kernel behaviour. > > Stefan > > -- > libvir-list mailing list > libvir-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvir-list > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list