[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
Dietmar Maurer
dietmar at proxmox.com
Thu May 15 06:01:54 CEST 2014
> > -A PVEFW-FORWARD -i venet0 -j PVEFW-VENET-OUT
> > -A PVEFW-VENET-OUT -m set --match-set PVEFW-venet0-ipset src -j
> > RETURN -A PVEFW-FORWARD -m physdev --physdev-in fwln+
> > --physdev-is-bridged -j PVEFW-FWBR-IN -A PVEFW-FORWARD -m physdev
> > --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT -A
> > PVEFW-FORWARD -o venet0 -j PVEFW-VENET-IN
> > -A PVEFW-VENET-IN -m set --match-set PVEFW-venet0-ipset dst -j
> > RETURN
> >
> >
> > like this, we do lookup in PVEFW-venet0 ipset only for venet0 traffic,
> > to known if it's firewalled or not.
>
> Is that different than this?
>
> -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0-ipset src -j
> PVEFW-VENET-OUT
>
> If so, why?
I am confused because I though netfilter will not evaluate '--match-set' if '-i venet'
does not match. So we will not gain any performance?
More information about the pve-devel
mailing list