[CentOS] iptables problem under tuned bridge

Hi

this is my bridge structure
=========================================
brctl show
bridge name    bridge id        STP enabled    interfaces
*br0*        8000.0023aea32e26    no                    *eth0*
                                                                     *tapxp*
=========================================

I tunneled a tapxp for my xp virtual machine.
host is centos 6 using eth0

eth0 & tapxp are under bridge *br0 *and they work well.

I wish to open 22 for host 80 for xp to outside.
others to the outside are blocked.

but I also wanna constrict nothing between *host* and *xp*

now for host it's OK to open 22 and others are blocked.
and I just want to open the connection between host and xp now.

I tried the following command ....
==========================================================================
iptables -A OUTPUT -s argent -m physdev --physdev-in tapxp -j ACCEPT
iptables -A OUTPUT -s argent -m policy --dir out --mode tunnel --tunnel-dst
172.18.16.0/21 -j ACCEPT
iptables -A OUTPUT -j LOG --log-tcp-sequence --log-level debug --log-prefix
'OUTPUT:'
==========================================================================


but failed by logging this
================================================================
6381 Aug  8 15:45:04 argent kernel: OUTPUT:IN= OUT=br0 SRC=172.18.22.188
DST=172.18.22.180 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54323 DF PROTO=TCP
SPT=52595 DPT=3389 SEQ=1304299590 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0
================================================================

from this log, I think it should in the *OUTPUT* chain, not *FORWARD*
but why could I open it?
1) is there a much more verbose log could be used, or could be opened.
2) how to solve this?

thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110808/65be09f1/attachment.html>