[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
Alexandre DERUMIER
aderumier at odiso.com
Tue Feb 25 17:29:43 CET 2014
>>What about this case:
>>
>>ethX->unmanaged-tap :
>> --------------
>>incoming ethX is not firewalled
>>outgoing tap is not managed by our firewall
with
-A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
-A vmbr0-FW -j ACCEPT
or
-A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT (maybe this is better ?)
it's working fine
(they are no filtering on tap, and the ACCEPT is done at the end)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 25 Février 2014 16:55:51
Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
> I see 3 cases:
>
> ethX->tap-in :
> --------------
> incoming ethX is not firewall
> tap-in do the ACCEPT
>
> tap out->tap in :
> ----------------
> tap-out do the RETURN
> tap-in do the ACCEPT
>
> tap out->ethX :
> ---------------
> tap-out do the RETURN,
> so we need an accept for ethX
What about this case:
ethX->unmanaged-tap :
--------------
incoming ethX is not firewall
outgoing tap is not managed by our firewall
More information about the pve-devel
mailing list