[pve-devel] [PATCH] add ips feature
Dietmar Maurer
dietmar at proxmox.com
Mon Mar 17 08:23:27 CET 2014
> -----Original Message-----
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com]
> Sent: Montag, 17. März 2014 08:14
> To: Dietmar Maurer
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: [pve-devel] [PATCH] add ips feature
>
> Well, we jump to NFQUEUE in tap chains.
>
> If we ACCEPT at begin of forward, we bypass ip.
> and we jump to NFQUEUE at begin of forward, we are going to ips for all vms
> (I want to enable it by vm)
Ah, OK.
> I just notice a bug, if sourcevm out (ips:0) -> sourcevm in (ips:1)
>
> it'll do an accept in tap-out, and bypass the ips.
>
> I'll rework my patch.
>
> (something like
> PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j IPSCHAIN
>
> IPSCHAIN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j
> NFQUEUE IPSCHAIN -m physdev --physdev-out tapxxxi0 --physdev-is-
> bridged -j NFQUEUE IPSCHAIN -j ACCEPT
> )
>
> should be faster too
OK
More information about the pve-devel
mailing list