[pve-devel] [PATCH] optimize bridge chains
Alexandre DERUMIER
aderumier at odiso.com
Tue Feb 25 11:21:38 CET 2014
>>can't we jump from PVEFW-FORWARD directly A vmbr0-IN/vmbr0-OUT ?
I'm not sure, but should be tested (I have taken the cloudstack implementation)
currently:
-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0
-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP
-A vmbr0 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
-A vmbr0 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
so, we check for -o vmbr0 , vmbr0-OUT/IN and for -i vmbr0 , vmbr0-OUT/IN.
I'll do tests today.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 25 Février 2014 10:40:09
Objet: RE: [pve-devel] [PATCH] optimize bridge chains
> >>confused - does it work, or is there something we need to fix?
>
> Well, the rules seem good, I have tested them and it's working fine.
>
> But I don't known why it's hanging when testing the hash...
do we reall need all those chains ?
-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0
-A vmbr0 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
-A vmbr0 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
-A vmbr0-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
-A vmbr0-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT
can't we jump from PVEFW-FORWARD directly A vmbr0-IN/vmbr0-OUT ?
More information about the pve-devel
mailing list