[pve-devel] RFC : iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Fri Jan 24 04:53:20 CET 2014
>>But they test everything twice that way?
Yes, I don't known why.
maybe they want to be sure that tap to tap filtering is done only on known tap interfaces with firewall enable ?
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Jeudi 23 Janvier 2014 11:01:42
Objet: RE: [pve-devel] RFC : iptables implementation
> By the way, I understand now why they are doing this:
>
> -A proxmoxfw-FORWARD -m physdev --physdev-out tap110i0 --physdev-is-
> bridged -j tapchains
> -A proxmoxfw-FORWARD -m physdev --physdev-in tap110i0 --physdev-is-
> bridged -j tapchains
> -A proxmoxfw-FORWARD -m physdev --physdev-out tap115i0 --physdev-is-
> bridged -j tapchains
> -A proxmoxfw-FORWARD -m physdev --physdev-in tap115i0 --physdev-is-
> bridged -j tapchains
>
>
> -A tapchains -m physdev --physdev-out tap110i0 --physdev-is-bridged -j
> tap110i0-IN
> -A tapchains -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tap110i0-
> OUT
> -A tapchains -m physdev --physdev-out tap115i0 --physdev-is-bridged -j
> tap115i0-IN
> -A tapchains -m physdev --physdev-in tap115i0 --physdev-is-bridged -j tap115i0-
> OUT
> -A tapchains -J ACCEPT
>
>
>
> This is to test rules from sources tap and all targets tap rules, and do the accept
> when both have matched
But they test everything twice that way?
More information about the pve-devel
mailing list