[pve-devel] RFC : iptables implementation
Dietmar Maurer
dietmar at proxmox.com
Thu Jan 23 07:11:48 CET 2014
> They also add an -input rules for outgoing packet from tap. (I think this for from
> tap to host)
>
>
> -A INPUT -j proxmoxfw-chain-INPUT
> -A FORWARD -m physdev --physdev-out tap100i0 --physdev-is-bridged -j
> proxmoxfw-chain
> -A FORWARD -m physdev --physdev-in tap100i0 --physdev-is-bridged -j
> proxmoxfw-chain
>
> >> -A proxmoxfw-chain-INPUT -m physdev --physdev-in tap110i0 --physdev-is-
> bridged -j tap110i0-OUT
So we can filter from VM to HOST correctly - that conforms to the docs.
But the other direction does not work (HOST to VM).
Maybe no big problem unless the user assigns IP addresses to multiple bridges.
More information about the pve-devel
mailing list