[pve-devel] pvefw: why do we check vmbr0-IN for INPUT
Alexandre DERUMIER
aderumier at odiso.com
Thu Feb 20 17:58:14 CET 2014
mmmm,
-A PVEFW-INPUT -m physdev --physdev-in tap100i0 -j tap100i0-OUT
this is to manage tap outrules -> host.
but after it's using tap chain...that's why it's go to vmbr0-IN. (I think it's doing nothing, but it's an overhead).
Maybe can we manage special tap chain for these tap out->host rule ?
We drop all by default, but maybe later we'll need to open something like dhcp, if we manage an dhcp server on proxmox host.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Jeudi 20 Février 2014 17:40:24
Objet: pvefw: why do we check vmbr0-IN for INPUT
Why do we check vmbr0-IN for INPUT?
-----
-A PVEFW-INPUT -m physdev --physdev-in tap100i0 -j tap100i0-OUT
…
-A tap100i0-OUT -m mark --mark 0x1 -g vmbr0-IN
…
-A vmbr0-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
-A vmbr0-IN -j ACCEPT
…
That looks strange to me.
More information about the pve-devel
mailing list