[libvirt-users] nwfilter usage
Daniel P. Berrange
berrange at redhat.com
Wed May 28 14:28:22 UTC 2014
On Wed, May 28, 2014 at 10:13:14AM -0400, Brian Rak wrote:
>
> On 5/28/2014 10:10 AM, Laine Stump wrote:
> >On 05/27/2014 02:46 AM, Brian Rak wrote:
> >>Make sure you have:
> >>
> >>/proc/sys/net/bridge/bridge-nf-call-iptables = 1
> >That doesn't make sense. bridge-nf-call-iptables controls whether or not
> >traffic going across a Linux host bridge device will be sent through
> >iptables, but the rules created by nwfilter are applied to the "vnetX"
> >tap devices that connect the guest to the bridge, not to the bridge itself.
> It may not make sense to you, but that is what's necessary for nwfilter to
> work. You can even look at the code:
>
> http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/nwfilter/nwfilter_ebiptables_driver.c;h=5cb0b74aaec2a659fb6e4b61502ef1322131c056;hb=HEAD#l3127
You are both right and both wrong :-P
The nwfilter code does need nf-call-iptables==1, but if-and-only-if
the nwfilter rule specified in the XML is filtering at the IPv4/IPv6
layer protocol. Any rules which are ethernet layer don't care about
these sysctl settings.
See this:
http://libvirt.org/formatnwfilter.html#nwfelemsRulesProto
mac, vlan, stp, arp, rarp, ipv4 and ipv6 protocols are all done at
the ethernet layer. tcp, udp, sctp, icmp, igmp, esp, ah, udplite
(and their IPv6 variants) are all done at the IP layer.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvirt-users
mailing list