[pve-devel] pvefw security group question
Alexandre DERUMIER
aderumier at odiso.com
Tue Feb 18 18:42:03 CET 2014
>>so it's seem possible to use it in forward.
Maybe somethink this can help :
-A vmbr1-OUT -m physdev --physdev-in tap123i0 --physdev-is-bridged -j tap123i0-OUT
-A tap123i0-OUT -j GROUP-security1-OUT
-A GROUP-security1-OUT -p icmp -J MARK --set-mark 1
-A tap123i0-OUT -m mark --mark 0x1 -j vmbr1-IN
?
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 18:30:00
Objet: Re: [pve-devel] pvefw security group question
just found this
http://andys.org.uk/bits/2010/01/27/iptables-fun-with-mark/
so it's seem possible to use it in forward.
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 18:26:45
Objet: Re: [pve-devel] pvefw security group question
>>That would be very strange, because it only set an integer value in the packet.
>>I think that is available in all tables?
Maybe I'm wrong, should be tested :)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 18:06:21
Objet: RE: pvefw security group question
> >>to mark packets which should be ACCEPTED? Does that help?
>
> AFAIK, MARK can only be used in mangle table, not in filter table
That would be very strange, because it only set an integer value in the packet.
I think that is available in all tables?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list