[pve-devel] [PATCH] add ips feature v5

Dietmar Maurer dietmar at proxmox.com
Thu Mar 20 06:55:27 CET 2014


> Not for conntrack
> 
> -N tapXXXi0-OUT
> -A tapXXXi0-OUT -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs -A
> tapXXXi0-OUT -p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT-
> MARK -A tapXXXi0-OUT -p tcp -j PVEFW-tcpflags -A tapXXXi0-OUT -m
> conntrack --ctstate INVALID -j DROP
> -A tapXXXi0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT   >>
> HERE
> 

Maybe we can/should replace that with -g PVEFW-SET-ACCEPT-MARK?



More information about the pve-devel mailing list