[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
Dietmar Maurer
dietmar at proxmox.com
Wed May 14 16:56:02 CEST 2014
> so 4 rules for unfirewalled veth|tap traffic.
> for unfirewalled venet0 traffic, we enter PVEFW-VENET-OUT|IN, so I would
> like to find a way to bypass it
OK
> also,
>
> I don't known if we want to keep
> -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> for non firewalled vms ?
no opinion (AFAIK you wanted that).
> (do we want to conntrack non firewalled vms ? can improve performance,
> but in case of firewall attack (synflood for example), if conntrack if full, this
> will impact non firewalled vms)
I guess it is better to do not touch traffic for non firewalled vms. Do you
want to provide that patch?
More information about the pve-devel
mailing list