[pve-devel] optimize non-firewalled vms rules with devgroup

Alexandre DERUMIER aderumier at odiso.com
Sat Apr 26 11:00:38 CEST 2014

I just found an interesting iptables module

-m devgroup --src-group name

group can be define with:

#ip link set dev DEVICE group GROUP

So, at begin of vmbrxxx, we just need to add:

-A vmbrxxx-IN -m devgroup --src-group name NOFWTAPS -j ACCEPT

-A vmbrxxx-OUT -m devgroup --src-group name NOFWTAPS -g PVEFW-SET-ACCEPT-MARK

(I don't have tested it yet)

What do you think about it ?

More information about the pve-devel mailing list