[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
Alexandre DERUMIER
aderumier at odiso.com
Tue May 13 10:27:27 CEST 2014
>>OK, you are right!
Note that we can improve rule add -i fwbr+
-- -A PVEFW-FORWARD -m physdev --physdev-in link+
++ -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in link+
because we have also packets from link->vmbr and vmbr->link coming to iptables
(that's also why I have sent a patch to bypass firewall rules for non firewalled interfaces)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 13 Mai 2014 10:16:00
Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
> >> -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-is-bridged --
> physdev-out tap+ -j PVEFW-FWBR-IN
> >> -A PVEFW-FORWARD -I fwbr+ -m physdev --physdev-is-bridged
> >> --physdev-in tap+ -j PVEFW-FWBR-OUT
> >>
> >>?
>
> Yes, but for veth interfaces ? (extra rules, and veth can be random I think ?)
OK, you are right!
More information about the pve-devel
mailing list