[pve-devel] [PATCH] add ips feature v2

[Dietmar Maurer]

> >>We use '-j ACCEPT' at many places. Each of those calls will bypass the ips?
> >>So shouldn't we replace all occurrences of '-J ACCEPT'?
> 
> I only replace when connection is established for now, but I think we can
> replace the -J ACCEPT in tap-in chains without problem.

We can? Or we 'have to' replace that in order to make ips work?

I would like to have a complete patch before I commit this.