[pve-devel] pvefw: use custom Drop/Reject

Wed Feb 26 17:38:53 CET 2014

> how is is implemented in tapchain for example ?

I currently only use it for the policy, but the plan us to use it for all DROP/REJECT.

       -A tap100i0-OUT -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A tap100i0-OUT -p tcp -j PVEFW-tcpflags
        -A tap100i0-OUT -m conntrack --ctstate INVALID -j DROP
        -A tap100i0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A tap100i0-OUT  -j GROUP-group1-OUT
        -A tap100i0-OUT -m mark --mark 1 -j RETURN
        -A tap100i0-OUT  -p tcp --dport 80 -g PVEFW-SET-ACCEPT-MARK
# reject policy
        -A tap100i0-OUT -j PVEFW-Reject
        -A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-reject: " --log-level 4
        -A tap100i0-OUT -g PVEFW-reject