Hi Dan,
On Thu, 2007-04-05 at 02:44 +0100, Daniel P. Berrange wrote:
Warning, this is a long complicated email with lots of horrible details :-)
I've long been a little confused with the way iptables bridging interacts,
so set out to do some experiments. I added a -j LOG rule to every
On Thu, Apr 05, 2007 at 02:44:46AM +0100, Daniel P. Berrange wrote:
Warning, this is a long complicated email with lots of horrible details :-)
That reminds me that we really ought to have a page in the documentation
providing more high level explanations of the virtual network capabilities
Daniel P. Berrange wrote:
Chain INPUT (policy ACCEPT 76724 packets, 366M bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- vnet2 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp --
On Thu, Apr 05, 2007 at 08:28:57AM +0100, Mark McLoughlin wrote:
Hi Dan,
On Thu, 2007-04-05 at 02:44 +0100, Daniel P. Berrange wrote:
Warning, this is a long complicated email with lots of horrible details
:-)
I've long been a little confused with the way iptables bridging
Daniel P. Berrange wrote:
[...]
Scenario 2: Virtual network
===
net.bridge.bridge-nf-call-iptables = 1
As far as I could tell, this case is exactly the same as scenario 1,
except PHYSIN is available.
Type 1: Isolated virtual network
On Thu, Apr 05, 2007 at 11:38:42AM +0100, Richard W.M. Jones wrote:
Daniel P. Berrange wrote:
[...]
Scenario 2: Virtual network
===
net.bridge.bridge-nf-call-iptables = 1
As far as I could tell, this case is exactly the same as scenario 1,
except PHYSIN is
On Thu, 2007-04-05 at 11:55 +0100, Daniel P. Berrange wrote:
On Thu, Apr 05, 2007 at 11:38:42AM +0100, Richard W.M. Jones wrote:
Daniel P. Berrange wrote:
[...]
Scenario 2: Virtual network
===
net.bridge.bridge-nf-call-iptables = 1
As far as I could
On Thu, Apr 05, 2007 at 11:43:56AM +0100, Richard W.M. Jones wrote:
BTW, while researching 'net.bridge.bridge-nf-call-iptables', I came
across this scary diagram:
http://l7-filter.sourceforge.net/PacketFlow.png
Be sure to resize your browser window to the maximum it will go :-)
Haha I
Hi Dan,
Only getting around to looking at this now ...
This all looks perfectly reasonable to me. I don't see a good reason
why you shouldn't just go ahead with this next time we feel like
de-stabilising the tree for a while.
The only downside is things might break a
On Thu, Apr 05, 2007 at 11:55:30AM +0100, Daniel P. Berrange wrote:
On Thu, Apr 05, 2007 at 11:38:42AM +0100, Richard W.M. Jones wrote:
Type 1: Isolated virtual network
Chain POSTROUTING (policy ACCEPT 273 packets, 26341 bytes)
pkts bytes target
On Thu, Apr 05, 2007 at 08:28:57AM +0100, Mark McLoughlin wrote:
On Thu, 2007-04-05 at 02:44 +0100, Daniel P. Berrange wrote:
I guess the two main differences are 1) avoid physdev based rules
because they don't work with net.bridge.bridge-nf-call-iptables = 1 and
2) use network address
11 matches
Mail list logo
