[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
Alexandre DERUMIER
aderumier at odiso.com
Tue May 13 18:40:52 CEST 2014
venet0->tap
-----------
venet0->vmbr0v94-->fwbr123i0-->tap123i0
May 13 18:38:57 kvmtest1 kernel: FORWARD: IN=venet0 OUT=vmbr0v94 SRC=10.3.94.203 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1664 SEQ=1
May 13 18:38:57 kvmtest1 kernel: FORWARD: IN=fwbr123i0 OUT=fwbr123i0 PHYSIN=link123p0 PHYSOUT=tap123i0 SRC=10.3.94.203 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1664 SEQ=1
tap->venet0
-----------
May 13 18:38:57 kvmtest1 kernel: FORWARD: IN=fwbr123i0 OUT=fwbr123i0 PHYSIN=tap123i0 PHYSOUT=link123p0 SRC=10.3.94.201 DST=10.3.94.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=22409 PROTO=ICMP TYPE=0 CODE=0 ID=1664 SEQ=1
May 13 18:38:57 kvmtest1 kernel: FORWARD: IN=vmbr0v94 OUT=venet0 PHYSIN=link123i0 SRC=10.3.94.201 DST=10.3.94.203 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=22409 PROTO=ICMP TYPE=0 CODE=0 ID=1664 SEQ=1
so, yes, bad idea ;)
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 13 Mai 2014 18:29:39
Objet: Re: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
>>Why not:
>>
>>-A PVEFW-FORWARD -i vmbr+ -j RETURN
>>
>>or is this a bad idea?
I need to verify if we don't have -i vmbr+ -o venet0 matching rule
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 13 Mai 2014 18:23:20
Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
> Yes, but an important, because each packet going out from fwbr do
>
> first iptables lookup
> ----------------------
> tap->fwbr->fwln
>
> second iptables lookup
> -----------------------
> fwpr->vmbr->...
>
>
> so, for this second lookup, we'll parse all the main chains.
Why not:
-A PVEFW-FORWARD -i vmbr+ -j RETURN
or is this a bad idea?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list