[pve-devel] [PATCH] add ips feature v5

Alexandre DERUMIER aderumier at odiso.com
Thu Mar 20 09:44:55 CET 2014


>>Sorry, I don't get that. What problem does that solve? I thought you want to enable ips per VM? 

I was to avoid going into each tap-out device then  -g PVEFW-SET-ACCEPT-MARK.
go directly to vmbr-OUT

>> -A tapXXXi0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> 
>> HERE 
>> 
>
>>Maybe we can/should replace that with -g PVEFW-SET-ACCEPT-MARK? 

here an example:
tap100 : no ips
tap200 : ips

-A PVEFW-FORWARD -o vmbr1 -m physdev --physdev-is-out -j vmbr1-FW
-A PVEFW-FORWARD -i vmbr1 -m physdev --physdev-is-in -j vmbr1-FW
   -A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT
       -A vmbr1-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN (or ACCEPT if no ips in any taps of the bridge)
       -A vmbr1-OUT -m physdev --physdev-in tap100i0 -j tap100i0-OUT
       -A vmbr1-OUT -m physdev --physdev-in tap200i0 -j tap200i0-OUT
-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
    -A vmbr1-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
    -A vmbr1-IN -m physdev --physdev-out tap200i0 --physdev-is-bridged -j tap100i0-IN
            -A tap200i0-IN -m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE --queue-num 0 --queue-bypass

-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT
-A vmbr1-FW -m comment --comment "PVESIG:fmNVk/D2Npe3kjrx6hn27VKjdMg"




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 20 Mars 2014 08:09:40 
Objet: RE: [pve-devel] [PATCH] add ips feature v5 

> maybe could we add 
> 
> -A vmbrX-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN 
> 
> at the beginning of vmbrX-OUT ? 

>>Sorry, I don't get that. What problem does that solve? I thought you want to enable ips per VM? 





More information about the pve-devel mailing list