[pve-devel] pvefw security group question
Alexandre DERUMIER
aderumier at odiso.com
Tue Feb 18 18:03:00 CET 2014
>>I wonder if we can use --mark to simply the whole thing? Maybe use
>>
>>-J MARK --set-mark 1
>>
>>to mark packets which should be ACCEPTED? Does that help?
AFAIK, MARK can only be used in mangle table, not in filter table
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 17:48:10
Objet: RE: pvefw security group question
> this is bad, because if you need to firewall tap1i0-OUT -> tap2-IN, it'll do an
> ACCEPT in group chain, and bypass tap2 inbound rules.
I wonder if we can use --mark to simply the whole thing? Maybe use
-J MARK --set-mark 1
to mark packets which should be ACCEPTED? Does that help?
More information about the pve-devel
mailing list