[pve-devel] RFC : iptables implementation
Dietmar Maurer
dietmar at proxmox.com
Wed Jan 22 19:45:41 CET 2014
> I am also concerned about this:
>
> --quote-shorewall-docs--
> As described above, Shorewall bridge support requires the physdev match
> feature of Netfilter/iptables. Physdev match allows rules to be triggered based
> on the bridge port that a packet arrived on and/or the bridge port that a packet
> will be sent over. The latter has proved to be problematic because it requires
> that the evaluation of rules be deferred until the destination bridge port is
> known. This deferral has the unfortunate side effect that it makes IPSEC
> Netfilter filtration incompatible with bridges. To work around this problem, in
> kernel version 2.6.20 the Netfilter developers decided to remove the deferred
> processing in two cases:
>
> When a packet being sent through a bridge entered the firewall on another
> interface and was being forwarded to the bridge.
>
> When a packet originating on the firewall itself is being sent through a bridge.
>
> Notice that physdev match was only weakened with respect to the destination
> bridge port -- it remains fully functional with respect to the source bridge port.
> --end-quote--
>
> I above is right, things will not work as expected.
Oh, I guess that is why you use --physdev-is-bridged?
So we simply accept routed traffic from the host?
More information about the pve-devel
mailing list