[pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges

Dietmar Maurer dietmar at proxmox.com
Fri May 9 13:29:12 CEST 2014


> >>This does not work, because it accepts traffic from venet0!
> 
> Ok, I'll check that.

But seems to work perfectly without that. Maybe we should add another chains for venet related 
traffic:

PVEFW-VENET-IN 
	-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
	-A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags
	-A PVEFW-VENET-IN -i venet0 -s 192.168.3.104 -j venet0-104-OUT

PVEFW-VENET-OUT 
 ...

what do you think?


More information about the pve-devel mailing list