Hi�

this is my bridge structure�

=========================================

brctl show

bridge name � �bridge id � � � �STP enabled � �interfaces

br0 � � � �8000.0023aea32e26 � �no � � � � � � � � � �eth0

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �tapxp

=========================================

I tunneled a tapxp for my xp virtual machine.

host is centos 6 using eth0

eth0 & tapxp are under bridge br0 and they work well.

I wish to open 22 for host 80 for xp to outside.

others to the outside are blocked.

but I also wanna constrict nothing between host and xp

now for host it's OK to open 22 and others are blocked.�

and I just want to open the connection between host and xp now.

I tried the following command ....

==========================================================================

iptables -A OUTPUT -s argent -m physdev --physdev-in tapxp -j�ACCEPT

iptables -A OUTPUT -s argent -m policy --dir out --mode tunnel --tunnel-dst 172.18.16.0/21 -j ACCEPT

iptables -A OUTPUT -j LOG --log-tcp-sequence --log-level debug --log-prefix 'OUTPUT:'

==========================================================================

but failed by logging this

================================================================

6381 Aug �8 15:45:04 argent kernel: OUTPUT:IN= OUT=br0�SRC=172.18.22.188 DST=172.18.22.180 LEN=60 TOS=0x00 PREC=0x00�TTL=64 ID=54323 DF PROTO=TCP SPT=52595 DPT=3389 SEQ=1304299590�ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0�

================================================================

from this log, I think it should in the OUTPUT chain, not FORWARD

but why could I open it?�

1) is there a much more verbose log could be used, or could be opened.

2) how to solve this?

thanks�