On 05/28/2014 05:13 PM, Brian Rak wrote: > > On 5/28/2014 10:10 AM, Laine Stump wrote: >> On 05/27/2014 02:46 AM, Brian Rak wrote: >>> Make sure you have: >>> >>> /proc/sys/net/bridge/bridge-nf-call-iptables = 1 >> That doesn't make sense. bridge-nf-call-iptables controls whether or not >> traffic going across a Linux host bridge device will be sent through >> iptables, but the rules created by nwfilter are applied to the "vnetX" >> tap devices that connect the guest to the bridge, not to the bridge >> itself. > It may not make sense to you, but that is what's necessary for > nwfilter to work. You can even look at the code: > > http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/nwfilter/nwfilter_ebiptables_driver.c;h=5cb0b74aaec2a659fb6e4b61502ef1322131c056;hb=HEAD#l3127 > Once again showing how much attention I pay to details :-) It still doesn't make sense, but you are correct. (and to think that virt people have spent so much time complaining that the bridge-nf-* settings should be *off*...) _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
