[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces

Wed Feb 26 07:45:19 CET 2014

> -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT (maybe this is better ?)

After my change, I guess we need to add such ruke additionally:

-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
-A vmbr0-FW -m mark --mark 1 -j ACCEPT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT # for bridge ports not managed by our FW?

?