Dan Shearer wrote:
> Now when I ifconfig eth0 inside the UML everything can ping everything
> else. There is no need for an IP on the bridge device.
>
> Problem: iptables rules for tap0 do not take effect. Something like:
>
> iptables -A INPUT -i tap0 -p icmp -j DROP
>
> does nothing. iptables -L -v shows the counters incrementing. Looking at
> the code for the tuntap device and comparing with real devices it seems
> this should work. I don't think netfilter has any way of distinguishing
> real from virtual ethernets even if it wanted to.
>
I think I can help here.
Are you using ebtables? You might need to do so. (I always use
ebtables, so I am not sure if this works without it, but it might).
If the bridge (BR0 ?) doesn't have an IP address, then you
won't have any bridge traffic appearing on the INPUT chain.
How about trying this instead
iptables -A FORWARD -m physdev --physdev-in tap0 -p icmp -j DROP
^^^^^^^ ^^ ^^^^^^^ ^^^^^^^^^^^^
or
iptables -m physdev --help
If this doesn't help, you might want to re-ask you question
on the netfilter-user or ebtables-user mailing lists, or
look at the ebtables documentation (which describes some iptables too).
Robbie at microbus dot com.
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
|
