i test the following simple filter
<filter name='nwfilter-test-fedora2' chain='root'>
<uuid>ccbd255f-4be5-4f0f-8835-770ea40cb2c9</uuid>
<rule action='accept' direction='out' priority='500'>
<tcp dstipaddr='10.1.24.0' dstipmask='24' comment='test test test'/>
</rule>
</filter>
but i get strange results (look at the attached output of iptables-save)
for me it looks like the direction='out' filters are attached to every
chain for this domain. additional there are wrong conntrack, state and
ctdir matches.
is this a bug or my fault?
/stephan
--
Software is like sex, it's better when it's free!
# Generated by iptables-save v1.4.7 on Wed Feb 19 20:19:32 2014
*filter
:INPUT ACCEPT [505:35572]
:FORWARD ACCEPT [978:118388]
:OUTPUT ACCEPT [443:79948]
:FI-veth0-fedora2 - [0:0]
:FO-veth0-fedora2 - [0:0]
:HI-veth0-fedora2 - [0:0]
:libvirt-host-in - [0:0]
:libvirt-in - [0:0]
:libvirt-in-post - [0:0]
:libvirt-out - [0:0]
-A INPUT -j libvirt-host-in
-A FORWARD -j libvirt-in
-A FORWARD -j libvirt-out
-A FORWARD -j libvirt-in-post
-A FI-veth0-fedora2 -d 10.1.24.0/24 -p tcp -m state --state NEW,ESTABLISHED -m
conntrack --ctdir ORIGINAL-m comment --comment "test test test" -j RETURN
-A FO-veth0-fedora2 -s 10.1.24.0/24 -p tcp -m state --state ESTABLISHED -m
conntrack --ctdir REPLY-m comment --comment "test test test" -j ACCEPT
-A HI-veth0-fedora2 -d 10.1.24.0/24 -p tcp -m state --state NEW,ESTABLISHED -m
conntrack --ctdir ORIGINAL-m comment --comment "test test test" -j RETURN
-A libvirt-host-in -m physdev --physdev-in veth0-fedora2 -g HI-veth0-fedora2
-A libvirt-in -m physdev --physdev-in veth0-fedora2 -g FI-veth0-fedora2
-A libvirt-in-post -m physdev --physdev-in veth0-fedora2 -j ACCEPT
-A libvirt-out -m physdev --physdev-out veth0-fedora2 --physdev-is-bridged -g
FO-veth0-fedora2
COMMIT
# Completed on Wed Feb 19 20:19:32 2014
_______________________________________________
libvirt-users mailing list
libvirt-users@redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
