[pve-devel] venet firewall broken?

Alexandre DERUMIER aderumier at odiso.com
Mon May 12 08:12:36 CEST 2014


>>I think so. Maybe it is best to revert the last 10 commits ... 

So, fwbr bridges are pretty useless in this case ?

(I really like the new model with only 1 direction to check, vnet0->vnet0 seem to be the only tricky exception, because the traffic is routed).


I wonder if we couldn't use some create of special mark for

-A PVEFW-FORWARD -o venet0 -i venet0 -m set --match-set PVEFW-venet0 src,dst

(venet0 firewalled->vnet0 firewalled)

then if this mark exist, return instead accept



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 12 Mai 2014 07:58:23 
Objet: RE: venet firewall broken? 

> Ok, so I think if we use RETURN (only for venet0-OUT, don't make sense for 
> tap/veth), 
> 
> it should work also with this model 
> 
> But I don't known for group rules (do we need to add mark again everwhere 
> ???) 

I think so. Maybe it is best to revert the last 10 commits ... 



More information about the pve-devel mailing list