[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces

Dietmar Maurer dietmar at proxmox.com
Wed May 14 16:56:02 CEST 2014


> so 4 rules for unfirewalled veth|tap traffic.
> for unfirewalled venet0 traffic, we enter PVEFW-VENET-OUT|IN, so I would
> like to find a way to bypass it

OK

> also,
> 
> I don't known if we want to keep
> -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> for non firewalled vms ?

no opinion (AFAIK you wanted that).

> (do we want to conntrack non firewalled vms ? can improve performance,
> but in case of firewall attack (synflood for example), if conntrack if full, this
> will impact non firewalled vms)

I guess it is better to do not touch traffic for non firewalled vms. Do you
want to provide that patch?


More information about the pve-devel mailing list