netfilter 和一般网络中的数据包流

如上图所示，netfilter实际上既可以在L2层过滤，也可以在L3层过滤

所以在网桥中一般会有下面的参数，即不让iptables对bridge的数据进行处理：

cat >> /etc/sysctl.conf <<EOF
  net.bridge.bridge-nf-call-ip6tables = 0
  net.bridge.bridge-nf-call-iptables = 0
  net.bridge.bridge-nf-call-arptables = 0
  EOF

sysctl -p /etc/sysctl.conf

或者改用下面的方法解决：
iptables -t raw -I PREROUTING -i BRIDGE -s x.x.x.x -j NOTRACK.

如果net.bridge.bridge-nf-call-iptables＝1，则需要iptables对bridge的数据进行处理，也就意味着二层的网桥在转发包时也会被iptables的FORWARD规则所过滤，这样就会出现L3层的iptables rules去过滤L2的帧的问题
（packets don't cross nat table twice, In the bridging process, you don’t know the outgoing interface so the previous rule doesn’t work. He needs the interface because he’s using MASQUERADE. In the routing process, the packets go to iptables but they never cross NAT tables because the packet already crossed the table in the bridging process.）
所以关于dnat、snat的规则将失效，如 openstack中metadata服务失效