[pve-devel] venet firewall broken?
Alexandre DERUMIER
aderumier at odiso.com
Mon May 12 08:28:35 CEST 2014
I'll work all the day on it,
I'm pretty sure it can be solved without revert all the work.
I'll keep you in touch.
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 08:12:36
Objet: Re: [pve-devel] venet firewall broken?
>>I think so. Maybe it is best to revert the last 10 commits ...
So, fwbr bridges are pretty useless in this case ?
(I really like the new model with only 1 direction to check, vnet0->vnet0 seem to be the only tricky exception, because the traffic is routed).
I wonder if we couldn't use some create of special mark for
-A PVEFW-FORWARD -o venet0 -i venet0 -m set --match-set PVEFW-venet0 src,dst
(venet0 firewalled->vnet0 firewalled)
then if this mark exist, return instead accept
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 07:58:23
Objet: RE: venet firewall broken?
> Ok, so I think if we use RETURN (only for venet0-OUT, don't make sense for
> tap/veth),
>
> it should work also with this model
>
> But I don't known for group rules (do we need to add mark again everwhere
> ???)
I think so. Maybe it is best to revert the last 10 commits ...
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list