search for: postrouting_direct

...of the Docker containers. I ran the following command: firewall-cmd --direct --permanent --add-rule ipv4 nat POSTROUTING 0 -i br+ -o eth0 -s 172.16.26.0/24 -j ACCEPT However, the firewall rules for NAT are: -A POSTROUTING -s 172.16.26.0/24 ! -o br-ee1ac3f6bbaf -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING_direct -s 172.16.26.0/24 -i br+ -o eth0 -j ACCEPT With this, it always goes via MASQUERADE first, without hitting the POSTROUTING_direct chain. Is there a way to add this rule on top of POSTROUTING? Regards,

...gt; Bridge table: nat > > Bridge chain: PREROUTING, entries: 2, policy: ACCEPT > -j PREROUTING_direct > -i vnet0 -j libvirt-I-vnet0 > > Bridge chain: OUTPUT, entries: 1, policy: ACCEPT > -j OUTPUT_direct > > Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT > -j POSTROUTING_direct > -o vnet0 -j libvirt-O-vnet0 > > Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN > > Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN > > Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN > > Bridge chain: libvirt-I-vnet0, entries: 9, po...

Hello, I'm recently stumbled over the libvirt network filter capabilities and got pretty excited. Unfortunately I'm not able to get the the "clean-traffic" filterset working. I'm using a freshly installed Debian Stretch with libvirt, qemu and KVM. My config snippet looks as follows: sudo virsh edit <VM> [...] <interface type='bridge'> <mac

...mand, and it looks as below: # ebtables -t nat --list Bridge table: nat Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0 Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0 Bridge chain: PREROUTING_direct, entries: 0, policy: RETURN Bridge chain: POSTROUTING_direct, entries: 0, policy: RETURN Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN Bridge chain: libvirt-I-vnet0, entries: 9, policy: ACCEPT -j I-vnet0-mac -p IPv4 -j I-vnet...

...d [9/120s]: unexp ected error ['NoneType' object has no attribute 'status_code'] # cat /etc/firewalld/direct.xml <?xml version="1.0" encoding="utf-8"?> <direct> <rule priority="0" table="nat" ipv="ipv4" chain="POSTROUTING_direct">-s 192.168.1.5 -o eth0 -j SNAT --to 153.153.xxx.xxx</rule> <rule priority="0" table="nat" ipv="ipv4" chain="PREROUTING_direct">-s 153.153.xxx.xxx -o eth0 -j DNAT --to 192.168.1.5</rule> </direct> # firewall-cmd --zone=exter...

...ul 14 07:40 external.xml.old -rw-r--r--. 1 root root 315 Jun 1 06:04 public.xml [root at biz103 ~]# cat /etc/firewalld/direct.xml <?xml version="1.0" encoding="utf-8"?> <direct> <rule priority="0" table="nat" ipv="ipv4" chain="POSTROUTING_direct">-s 192.168.1.5 -o eth0 -j SNAT --to 153.153.xxx.xxx</rule> </direct> [root at biz103 ~]# cat /etc/firewalld/zones/external.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>External</short> <description>For use on ext...