[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces

[Dietmar Maurer]

> I don't remember, Why can't we simply use
> 
> -A vmbr0-FW -j ACCEPT  ?  (instead -A vmbr0-FW -m mark --mark 1 -j ACCEPT
> )
> for managed tap, if we don't have a DROP in tapchains, we should accept
> when returning in vmbr0-FW
> for unmanaged tap or ethX, we should ACCEPT in any case at the end of
> vmbr0-FW too.

That would accept packages where --physdev-is-out is not set (can that happen?)?