On Wednesday 2012-08-08 19:27, Stewart Middleton wrote: > http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/liaatkvmsecnetfilter.htm > """Netfilter, although allowing the use of iptables to create layer 3 > filtering rules, is also seen as a security risk for guest isolation because > Netfilter processing sometimes occurs on a global context (without > distinction of a source layer 2 port). """ > > So i would be interested in any advice in terms of: > > 1) Is the IBM info outdated? Yes it is. -j CT --zone and -m physdev should be used to resolve the "problem". -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
