[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
Alexandre DERUMIER
aderumier at odiso.com
Thu Feb 27 12:05:51 CET 2014
>>That would accept packages where --physdev-is-out is not set (can that happen?)?
I don't think it can happen in FORWARD.
but it's possible in INPUT or OUTPUT (host -> physin(tap,eth..) , physout(tap,eth)->host)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Jeudi 27 Février 2014 10:54:21
Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
> I don't remember, Why can't we simply use
>
> -A vmbr0-FW -j ACCEPT ? (instead -A vmbr0-FW -m mark --mark 1 -j ACCEPT
> )
> for managed tap, if we don't have a DROP in tapchains, we should accept
> when returning in vmbr0-FW
> for unmanaged tap or ethX, we should ACCEPT in any case at the end of
> vmbr0-FW too.
That would accept packages where --physdev-is-out is not set (can that happen?)?
More information about the pve-devel
mailing list