<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18702">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2 face=Arial>snif, snif, snif</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial>ok, many thanks for the clarification</FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN id=result_box lang=en class=short_text><SPAN
class=hps><FONT size=3
face="Times New Roman"></FONT></SPAN></SPAN></FONT> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=danhunsaker@gmail.com href="mailto:danhunsaker@gmail.com">Daniel
Hunsaker</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=brain@click.com.py
href="mailto:brain@click.com.py">Cesar Peschiera</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=pve-devel@pve.proxmox.com
href="mailto:pve-devel@pve.proxmox.com">pve-devel@pve.proxmox.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, May 01, 2014 5:14
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [pve-devel] pve-common :
linux bridge and ovs new modelimplementation v2</DIV>
<DIV><BR></DIV>
<P dir=ltr>Multicast doesn't have destination IPs to filter by, so multicast
traffic leaving a node can't be filtered that way by the node. As to
filtering it coming in, it might be possible to prevent VMs/CTs from seeing
the Proxmox multicast data by simply preventing it from being forwarded to
those interfaces. But you'll still have the multicast across your LAN
either way, because that's how multicast works.</P>
<DIV class=gmail_quote>On May 1, 2014 1:52 PM, "Cesar Peschiera" <<A
href="mailto:brain@click.com.py">brain@click.com.py</A>> wrote:<BR
type="attribution">
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>It's not possible with a firewall to say only send
multicast traffic to a specific host.<BR>(or it's not multicast anymore
;)<BR></BLOCKQUOTE><BR>But, i think that is possible, while PVE is
transmitting in mode multicast by ports UDP 5404 and 5405, the firewall can
drop the packets for all except for the IP addresses that are the PVE
Nodes.<BR><BR>A example in iptables (we know that the order of the rules is
important for get this target):<BR><BR>iptables -A OUTPUT -o
<a-IP-address-of-PVE-Node> -p udp -m multiport --ports 5404,5405 -j
ACCEPT<BR>iptables -A OUTPUT -o
<other-IP-address-of-Other-<U></U>PVE-Node> -p udp -m multiport
--ports 5404,5405 -j ACCEPT<BR>#And finally the magic rule:<BR>iptables -A
OUTPUT -p udp -m multiport --ports 5404,5405 -j DROP<BR><BR>i see it very
simple, or i am missing of something?
<BR>______________________________<U></U>_________________<BR>pve-devel
mailing list<BR><A href="mailto:pve-devel@pve.proxmox.com"
target=_blank>pve-devel@pve.proxmox.com</A><BR><A
href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel"
target=_blank>http://pve.proxmox.com/cgi-<U></U>bin/mailman/listinfo/pve-devel</A><BR></BLOCKQUOTE></DIV></BLOCKQUOTE></BODY></HTML>