[pve-devel] optimize non-firewalled vms rules with devgroup

[Alexandre DERUMIER]

I just found an interesting iptables module

-m devgroup --src-group name



group can be define with:

#ip link set dev DEVICE group GROUP



So, at begin of vmbrxxx, we just need to add:


-A vmbrxxx-IN -m devgroup --src-group name NOFWTAPS -j ACCEPT


-A vmbrxxx-OUT -m devgroup --src-group name NOFWTAPS -g PVEFW-SET-ACCEPT-MARK



(I don't have tested it yet)


What do you think about it ?