[pve-devel] firewall : question about dhcp option rule
Alexandre DERUMIER
aderumier at odiso.com
Wed Mar 19 12:26:53 CET 2014
I think it should be:
OUT : -p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT-MARK;
IN : -p udp -m udp --sport 67 --dport 68 -j ACCEPT;
(is dhcp option, dhcp client ?)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 19 Mars 2014 12:23:36
Objet: RE: [pve-devel] firewall : question about dhcp option rule
> I just notice that in
>
> ruleset_create_vm_chain{
> ...
> if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
> ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 67:68 -j
> ACCEPT");
> }
> ..
>
> }
>
>
> we create the rule in both direction, and with an ACCEPT.
>
> is it normal ?
>
> (we should never do an accept in tap-out chain)
I guess you found a bug!
More information about the pve-devel
mailing list