On Thursday 2008-08-07 11:16, Grant Taylor wrote: > On 08/07/08 09:55, Charles Duffy wrote: > >> Perhaps I could also also add a rule setting an appropriate mark >> in OUTPUT. Not being able to communicate with the hosts from the >> local system is a showstopper, however, and I'd prefer to avoid >> munging the routing tables if possible to keep the patch to >> libvirt implementing this functionality minimal. (Robust >> infrastructure is already in place for modifying iptables rules >> for libvirt-managed networks; routing, not so much). > > If you did get the rules in the PREROUTING and OUTPUT to work and > they were the same, I'd suggest you put them in a common sub-chain > and jump to it from both the PREROUTING and OUTPUT chains. This > will make maintenance much easier down the road. That of course won't work because Xtables does chain inspection and spots the illegal use of SNAT in a chain which is referenced from PREROUTING. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
