I use the common arrangement of plugging UML tap devices into a
virtual bridge. I only want to use one IP address per UML, so
I do something like this (could be simplified):
ifconfig tap0 1.2.3.4
boot-uml-here with eth0=tap0
ifconfig tap0 0.0.0.0 promisc up
brctl addif br0 tap0
ip link set tap0 up
Now when I ifconfig eth0 inside the UML everything can ping everything
else. There is no need for an IP on the bridge device.
Problem: iptables rules for tap0 do not take effect. Something like:
iptables -A INPUT -i tap0 -p icmp -j DROP
does nothing. iptables -L -v shows the counters incrementing. Looking at
the code for the tuntap device and comparing with real devices it seems
this should work. I don't think netfilter has any way of distinguishing
real from virtual ethernets even if it wanted to.
--
Dan Shearer
dan@xxxxxxxxxxx
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
|
