> container to container ? > > venet0->venet0 ? > Yes, we also want to filter container to container traffic. > Damn, I don't have tested this case. We should really have some regression tests, but I do not know a tool to simulate iptables? We can write a simple simulator ourselves, but that is much work :-/