On Wed, Mar 11, 2015 at 8:03 PM, Fiedler Roman <roman.fied...@ait.ac.at> wrote: > But the current issue is different: The guest can snoop on the NFLOG messages > generated on host and destined for the host and hence can get knowledge of ANY > NFLOGed connection of host or any guest, no matter if on same bridge or > another one.
Ah, sorry I misunderstood your problem. All I can say is that it works for me on my simple test. I have ulogd2 on both host and guest, and if you look at my iptables command on the host and guest, they are almost identical (including nflog group) except for chain names (forward/input/output). The logged packets are from the correct one (the one inside the container has in/out=eth0, while the one on the host has in/out=br0). That was on Ubuntu 14.10 (kernel 3.16) with lxc-1.1 from daily ppa, so you might want to try that before filing a bug report to ubuntu. -- Fajar _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users