[pve-devel] pvefw: why do we check vmbr0-IN for INPUT
Dietmar Maurer
dietmar at proxmox.com
Fri Feb 21 10:00:49 CET 2014
> Yes, it's an optimization, to not test other tap chains in VMBR-OUT.
If we use RETURN, we can reuse vmbr0-OUT for the hostfw?
> If we want to use return in tap chain, I think we can optimize parent chain like
> this
> (Like openstack implementation)
>
>
> iptables -A proxmoxfw-FORWARD -o vmbr1 -m physdev --physdev-is-
> bridged -j vmbr1
> iptables -A proxmoxfw-FORWARD -i vmbr1 -m physdev --physdev-is-bridged
> -j vmbr1
> iptables -A proxmoxfw-FORWARD -i vmbr1 -j DROP #disable interbridge
> routing
> iptables -A proxmoxfw-FORWARD -o vmbr1 -j DROP # disable interbridge
> routing
>
> iptables -A vmbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr1-
> OUT
> iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-out -j
> vmbr1-IN
> iptables -A vmbr1 -j ACCEPT
The way we cannot reuse it for the host firewall?
More information about the pve-devel
mailing list