[pve-devel] [PATCH] add ips feature v5
Alexandre DERUMIER
aderumier at odiso.com
Thu Mar 20 08:00:45 CET 2014
maybe could we add
-A vmbrX-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
at the beginning of vmbrX-OUT ?
(and add an optimisation if no ips is enabled for the vmbr, do an ACCEPT)
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Jeudi 20 Mars 2014 07:43:48
Objet: Re: [pve-devel] [PATCH] add ips feature v5
>>Maybe we can/should replace that with -g PVEFW-SET-ACCEPT-MARK?
yes, it should work.
But isn't it slower (more taps(in|out) to check), than simply use
-m conntrack --ctstate RELATED,ESTABLISHED -j PVE-Accept at the begin of FORWARD ?
?
(I think I should do some benchmarks, maybe the difference is not so big with modern processors)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Jeudi 20 Mars 2014 06:55:27
Objet: RE: [pve-devel] [PATCH] add ips feature v5
> Not for conntrack
>
> -N tapXXXi0-OUT
> -A tapXXXi0-OUT -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs -A
> tapXXXi0-OUT -p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT-
> MARK -A tapXXXi0-OUT -p tcp -j PVEFW-tcpflags -A tapXXXi0-OUT -m
> conntrack --ctstate INVALID -j DROP
> -A tapXXXi0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >>
> HERE
>
Maybe we can/should replace that with -g PVEFW-SET-ACCEPT-MARK?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list