[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
Alexandre DERUMIER
aderumier at odiso.com
Wed Feb 26 07:46:56 CET 2014
>>I now always use PVEFW-SET-ACCEPT-MARK for OUT chains, so that way we can
>>re-use chains for the host firewall.
>>any objections ?
I think it's ok,I'll do tests this afternoon.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 26 Février 2014 07:26:51
Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
> with
> -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
> -A vmbr0-FW -j ACCEPT
>
> or
> -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
> (maybe this is better ?)
>
> it's working fine
applied, but I have added another change:
https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff;h=fdb0bf200c4d48f0826c365ace8f126c535a4600
I now always use PVEFW-SET-ACCEPT-MARK for OUT chains, so that way we can
re-use chains for the host firewall.
any objections?
More information about the pve-devel
mailing list