[pve-devel] [PATCH] add ips feature v5
Alexandre DERUMIER
aderumier at odiso.com
Wed Mar 19 17:19:53 CET 2014
>>Why do we still need ' PVEFW-Accept' instead of -j NFQUEUE?
in this case:
tap1-out : ACCEPT (ips off) -----> tap2-in : ACCEPT (ips on)
We don't want always NFQUEUE in tap1-out, because ips is off, but we want NFQUEUE if the destination have ips on.
>> group-in rules always replace ACCEPT by PVEFW-Accept
>
>maybe we can use the set mark hack here?
I don't known how to implemented this, as a GROUP can do ACCEPT or NFQUEUE, if the group is used by a tap without/with ips.
Maybe doing some checks at the begin of PVE-FORWARD, to see if tap-in have ips enabled, and add a specific mark ?
Help is welcome ;)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Mercredi 19 Mars 2014 17:07:00
Objet: RE: [pve-devel] [PATCH] add ips feature v5
> for tap-out rules,
> PVEFW-Accept is always use when connection is already established
> -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept
Why do we still need ' PVEFW-Accept' instead of -j NFQUEUE?
> in tap-in chain,
> I replace -j ACCEPT by -j NFQUEUE when ips is enabled
> and
> -m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE
that is what I want.
> group-in rules always replace ACCEPT by PVEFW-Accept
maybe we can use the set mark hack here?
More information about the pve-devel
mailing list