search for: nwfilter_ebiptables_driv

On 05/27/2014 02:46 AM, Brian Rak wrote: > Make sure you have: > > /proc/sys/net/bridge/bridge-nf-call-iptables = 1 That doesn't make sense. bridge-nf-call-iptables controls whether or not traffic going across a Linux host bridge device will be sent through iptables, but the rules created by nwfilter are applied to the "vnetX" tap devices that connect the guest to the

...er are applied to the "vnetX" > tap devices that connect the guest to the bridge, not to the bridge itself. It may not make sense to you, but that is what's necessary for nwfilter to work. You can even look at the code: http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/nwfilter/nwfilter_ebiptables_driver.c;h=5cb0b74aaec2a659fb6e4b61502ef1322131c056;hb=HEAD#l3127 >> On 5/26/2014 1:35 PM, Matt LaPlante wrote: >>> I'm trying to accomplish what I had hoped would be a fairly simple >>> filtering of traffic to my VMs, but I'm hitting a snag. The VMs are >>> al...