[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
Alexandre DERUMIER
aderumier at odiso.com
Tue Feb 25 16:50:57 CET 2014
>>But we should only accept packages which originates from VMs?
I see 3 cases:
ethX->tap-in :
--------------
incoming ethX is not firewall
tap-in do the ACCEPT
tap out->tap in :
----------------
tap-out do the RETURN
tap-in do the ACCEPT
tap out->ethX :
---------------
tap-out do the RETURN,
so we need an accept for ethX
I have look at cloudstack, they are doing
-A vmbr0 -m physdev --physdev-is-bridged --physdev-out $physdev -j ACCEPT
where $physdev is ethX,bondX plugged in the bridge
but maybe
-A vmbr0 -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
is enough ?
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Mardi 25 Février 2014 16:25:00
Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
> We need to accept traffic at the end of bridge rules for outgoing packets
> from tap->ethX, as we don't do ACCEPT in tap-out rules.
But we should only accept packages which originates from VMs?
More information about the pve-devel
mailing list