[pve-devel] pvefw security group question
Alexandre DERUMIER
aderumier at odiso.com
Wed Feb 19 07:51:56 CET 2014
>>I thought we can simply goto a special chain (instead of ACCEPT).
>>
>>GROUP-security2 chain:
>>-A GROUP-security2 -p ssh -g PVE_SPECIAL_ACCEPT
>>...
>>PVE_SPECIAL_ACCEPT chain:
>>-A PVE_SPECIAL_ACCEPT -j MARK --set-mark 1
>>
>>Do you think that will work?
Not sure, you do a goto PVE_SPECIAL_ACCEPT, so it's finished in PVE_SPECIAL_ACCEPT.
But how do you go in the in vmbrX-IN, to check destination inbound rules ?
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 19 Février 2014 06:39:17
Objet: RE: [pve-devel] pvefw security group question
> I have thinked about it, it's a little bit more complex, we need to check the
> mark after each mark, to be sur to exit the chain, as if we have a DROP rule
> after,it'll not work
I thought we can simply goto a special chain (instead of ACCEPT).
GROUP-security2 chain:
-A GROUP-security2 -p ssh -g PVE_SPECIAL_ACCEPT
...
PVE_SPECIAL_ACCEPT chain:
-A PVE_SPECIAL_ACCEPT -j MARK --set-mark 1
Do you think that will work?
> Also we need to reset the mark in the IN chain, because group rules use
> same mark
yes
More information about the pve-devel
mailing list