[pve-devel] [PATCH] disable iptables filter on bridge
Alexandre DERUMIER
aderumier at odiso.com
Wed Mar 7 12:18:28 CET 2012
I found an interesting article here :
http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg11831.html
"One reason for running a bridge is that you are using KVM. On FC15 with
KVM under libvirt, you must include this in your /etc/shorewall/init file:
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
Beginning with Shorewall 4.4.20, Shorewall will set that for you when
you define an interface with the 'bridge' option."
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Lars Wilke" <lw at lwilke.de>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 7 Mars 2012 12:07:40
Objet: Re: [pve-devel] [PATCH] disable iptables filter on bridge
Hi, do you filter traffic between vm in the same bridge ?
----- Mail original -----
De: "Lars Wilke" <lw at lwilke.de>
À: pve-devel at pve.proxmox.com
Envoyé: Mercredi 7 Mars 2012 12:03:56
Objet: Re: [pve-devel] [PATCH] disable iptables filter on bridge
Hi,
sorry if this is a dumb question, but what happens with this patch applied when
i use i.e. shorewall to filter on a bridge (vmbrXY)?
Thanks
--lars
* Derumier Alexandre wrote:
>
> Signed-off-by: Derumier Alexandre <aderumier at odiso.com>
> ---
> debian/rules | 1 +
> debian/sysctl.conf | 4 ++++
> 2 files changed, 5 insertions(+), 0 deletions(-)
> create mode 100644 debian/sysctl.conf
>
> diff --git a/debian/rules b/debian/rules
> index a999d9b..a433c17 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -26,6 +26,7 @@ override_dh_install:
> # we do not install this, because we don't want to break
> # existing tools which parse syslog entries
> #install -m 0644 -D debian/pve-rsyslog.conf debian/pve-cluster/etc/rsyslog.d/pve-rsyslog.conf
> + install -m 0644 -D debian/sysctl.conf debian/pve-cluster/etc/sysctl.d/pve.conf
>
> override_dh_installinit:
>
> diff --git a/debian/sysctl.conf b/debian/sysctl.conf
> new file mode 100644
> index 0000000..59bfce5
> --- /dev/null
> +++ b/debian/sysctl.conf
> @@ -0,0 +1,4 @@
> +net.bridge.bridge-nf-call-ip6tables = 0
> +net.bridge.bridge-nf-call-iptables = 0
> +net.bridge.bridge-nf-call-arptables = 0
> +net.bridge.bridge-nf-filter-vlan-tagged = 0
> --
> 1.7.2.5
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
--
--
Alexandre D erumier
Ingénieur Système
Fixe : 03 20 68 88 90
Fax : 03 20 68 90 81
45 Bvd du Général Leclerc 59100 Roubaix - France
12 rue Marivaux 75002 Paris - France
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
--
--
Alexandre D erumier
Ingénieur Système
Fixe : 03 20 68 88 90
Fax : 03 20 68 90 81
45 Bvd du Général Leclerc 59100 Roubaix - France
12 rue Marivaux 75002 Paris - France
More information about the pve-devel
mailing list