[pve-devel] pvefw: why do we check vmbr0-IN for INPUT

Alexandre DERUMIER aderumier at odiso.com
Fri Feb 21 09:48:52 CET 2014 

>>Thought a bit more about that, and I wonder if we really need to you jump to vmbr0-IN?
>>I can see that this is an optimization? But we could also use a simple RETURN instead?

Yes, it's an optimization, to not test other tap chains in VMBR-OUT.

If we want to use return in tap chain, I think we can optimize parent chain like this
(Like openstack implementation)


iptables -A proxmoxfw-FORWARD -o vmbr1 -m physdev --physdev-is-bridged -j vmbr1
iptables -A proxmoxfw-FORWARD -i vmbr1 -m physdev --physdev-is-bridged -j vmbr1
iptables -A proxmoxfw-FORWARD -i vmbr1 -j DROP  #disable interbridge routing
iptables -A proxmoxfw-FORWARD -o vmbr1 -j DROP # disable interbridge routing

iptables -A vmbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr1-OUT
iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr1-IN
iptables -A vmbr1 -j ACCEPT


iptables -N tap110i0-OUT
iptables -A vmbr1-OUT -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tap110i0-OUT
iptables -N tap123i0-OUT
iptables -A vmbr1-OUT -m physdev --physdev-in tap123i0 --physdev-is-bridged -j tap123i0-OUT

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 21 Février 2014 09:25:15 
Objet: RE: pvefw: why do we check vmbr0-IN for INPUT 

> >>I am quit unsure about that. It is really difficult to understand that setup. 
> >>Maybe we can use the --state to simplify things? 
> 
> Do you have an example ? 

Thought a bit more about that, and I wonder if we really need to you jump to vmbr0-IN? 
I can see that this is an optimization? But we could also use a simple RETURN instead? 

exists tap100i0-OUT (OJ24RKwkwqb9Xm9aIuRWjhQ1BL4) 
-A tap100i0-OUT -m conntrack --ctstate INVALID -j DROP 
-A tap100i0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP 
-A tap100i0-OUT -j GROUP-group1-OUT 

-A tap100i0-OUT -m mark --mark 1 -g vmbr0-IN #NOTE we can also RETURN here? 

-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4 
-A tap100i0-OUT -j DROP

More information about the pve-devel mailing list