bridge_stp off
bridge_fd 0
-# setup masqueraded bridge port vmbr1/pm1
+# setup masqueraded bridge port vmbr1/pm1 using pm0
+# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone)
auto pm1
iface pm1 inet static
address 10.10.10.1
netmask 255.255.255.0
VETH_BRIDGETO vmbr1
- post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1
- post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1
- post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
- post-down iptables -t nat -F POSTROUTING
- post-down iptables -t raw -F PREROUTING
+ VETH_MASQUERADE pm0
...