[pve-devel] [PATCH] add ips feature v5
Dietmar Maurer
dietmar at proxmox.com
Wed Mar 19 17:07:00 CET 2014
> for tap-out rules,
> PVEFW-Accept is always use when connection is already established
> -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept
Why do we still need ' PVEFW-Accept' instead of -j NFQUEUE?
> in tap-in chain,
> I replace -j ACCEPT by -j NFQUEUE when ips is enabled
> and
> -m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE
that is what I want.
> group-in rules always replace ACCEPT by PVEFW-Accept
maybe we can use the set mark hack here?
More information about the pve-devel
mailing list