[pve-devel] pvefw security group question

[Alexandre DERUMIER]

>>this is called from vmbrX-OUT, so it directly returns to that chain. 
>>I thought there is no need to return to tap110i0-OUT ? 

Just tested, it's working fine .
Maybe I don't understand how goto works ?  (For me, it was just a jump, without implicit return)


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 19 Février 2014 12:20:24 
Objet: RE: [pve-devel] pvefw security group question 

> -A tap110i0-OUT -j GROUP-security1-OUT 
> -A GROUP-security1-OUT -j MARK --set-xmark 0x0/0xffffffff 
> -A GROUP-security1-OUT -p icmp -g PVEFW-SET-ACCEPT-MARK 
> -A GROUP-security1-OUT -p tcp -m tcp --dport 22 -g PVEFW-SET- 
> ACCEPT-MARK 
> -A GROUP-security1-OUT -m comment --comment 
> "PVESIG:H5gNFciXSlxFB/xpDqyG9l5+v6M" 
> 
> 
> -A tap110i0-OUT -m mark --mark 0x1 -g vmbr1-IN 
> 
> 
> we do a goto to PVEFW-SET-ACCEPT-MARK, but how can this return to TAP 
> chain ? 

this is called from vmbrX-OUT, so it directly returns to that chain. 
I thought there is no need to return to tap110i0-OUT ? 

> (I don't have tested it yet) 
> 
> I think we should do something like this: 
> 
> -A tap110i0-OUT -j GROUP-security1-OUT 
> -A GROUP-security1-OUT -j MARK --set-xmark 0x0/0xffffffff 
> -A GROUP-security1-OUT -p icmp -j PVEFW-SET-ACCEPT-MARK 
> A GROUP-security1-OUT -m mark --mark 0x1 -j RETURN 
> -A GROUP-security1-OUT -p tcp -m tcp --dport 22 -j PVEFW-SET-ACCEPT-MARK 
> -A GROUP-security1-OUT -m mark --mark 0x1 -j RETURN 
> -A GROUP-security1-OUT -m comment --comment 
> "PVESIG:H5gNFciXSlxFB/xpDqyG9l5+v6M" 
> 
> -A tap110i0-OUT -m mark --mark 0x1 -g vmbr1-IN 

This is clumsy, but does exactly the same as my code - or what is the difference?