[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
Dietmar Maurer
dietmar at proxmox.com
Thu May 15 06:40:20 CEST 2014
> > a small difference:
> >
> > 1)
> > -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0-ipset src
> > -j PVEFW-VENET-OUT
> >
> > all unfirewalled packets (fwpr+->vmbr+) for example, will lookup
> > inside the ipset PVEFW-venet0-ipset
>
>
> Why? There is no need to do the lookup if '-i venet0' fails.
Or do you think kernel/netfilter will do this lookup unconditionally/always?
More information about the pve-devel
mailing list