On Tuesday 24 February 2004 08:31, Dan Shearer wrote:
> I use the common arrangement of plugging UML tap devices into a
> virtual bridge. I only want to use one IP address per UML, so
> I do something like this (could be simplified):
>
> ifconfig tap0 1.2.3.4
> boot-uml-here with eth0=tap0
> ifconfig tap0 0.0.0.0 promisc up
> brctl addif br0 tap0
> ip link set tap0 up
>
> Now when I ifconfig eth0 inside the UML everything can ping everything
> else. There is no need for an IP on the bridge device.
>
> Problem: iptables rules for tap0 do not take effect. Something like:
>
> iptables -A INPUT -i tap0 -p icmp -j DROP
>
> does nothing. iptables -L -v shows the counters incrementing. Looking
> at the code for the tuntap device and comparing with real devices it
> seems this should work. I don't think netfilter has any way of
> distinguishing real from virtual ethernets even if it wanted to.
Bridging happens at layer 2, your rule there is a layer 3 rule. You'll
either need to use ebtables [1] (ethernet bridging tables) or take a look
into some of the new MAC filters/extensions for iptables.
David
1 - http://ebtables.sourceforge.net/
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
|
