[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Fri Jan 24 04:53:20 CET 2014


>>But they test everything twice that way? 

Yes, I don't known why.
maybe they want to be sure that tap to tap filtering is done only on known tap interfaces with firewall enable ?


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Jeudi 23 Janvier 2014 11:01:42 
Objet: RE: [pve-devel] RFC : iptables implementation 

> By the way, I understand now why they are doing this: 
> 
> -A proxmoxfw-FORWARD -m physdev --physdev-out tap110i0 --physdev-is- 
> bridged -j tapchains 
> -A proxmoxfw-FORWARD -m physdev --physdev-in tap110i0 --physdev-is- 
> bridged -j tapchains 
> -A proxmoxfw-FORWARD -m physdev --physdev-out tap115i0 --physdev-is- 
> bridged -j tapchains 
> -A proxmoxfw-FORWARD -m physdev --physdev-in tap115i0 --physdev-is- 
> bridged -j tapchains 
> 
> 
> -A tapchains -m physdev --physdev-out tap110i0 --physdev-is-bridged -j 
> tap110i0-IN 
> -A tapchains -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tap110i0- 
> OUT 
> -A tapchains -m physdev --physdev-out tap115i0 --physdev-is-bridged -j 
> tap115i0-IN 
> -A tapchains -m physdev --physdev-in tap115i0 --physdev-is-bridged -j tap115i0- 
> OUT 
> -A tapchains -J ACCEPT 
> 
> 
> 
> This is to test rules from sources tap and all targets tap rules, and do the accept 
> when both have matched 

But they test everything twice that way? 



More information about the pve-devel mailing list