[pve-devel] [PATCH] add ips feature v6
Alexandre DERUMIER
aderumier at odiso.com
Fri Mar 21 13:21:08 CET 2014
>>This will overwrite the mark set by the -OUT chain, so this breaks the basic flow?
I don't think it's a problem, the mark is only use, after -out chain, at the end of vmbr1-FW
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT
-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
so, in the case of any tap-in chain don't have matched. (so it don't go in group-in too, and mark is not overwrited)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Vendredi 21 Mars 2014 08:09:43
Objet: RE: [pve-devel] [PATCH] add ips feature v6
> group-in rules now use also mark
This will overwrite the mark set by the -OUT chain, so this breaks the basic flow?
More information about the pve-devel
mailing list