[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
Alexandre DERUMIER
aderumier at odiso.com
Thu May 15 07:04:25 CEST 2014
>> Why? There is no need to do the lookup if '-i venet0' fails.
>>
>>Or do you think kernel/netfilter will do this lookup unconditionally/always
I'm not sure but, I think it's doing both test. (-i vnet0 && -m set --match-set PVEFW-venet0-ipset src).
But I'm not iptables expert, maybe they have already optimized this ;)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Jeudi 15 Mai 2014 06:40:20
Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
> > a small difference:
> >
> > 1)
> > -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0-ipset src
> > -j PVEFW-VENET-OUT
> >
> > all unfirewalled packets (fwpr+->vmbr+) for example, will lookup
> > inside the ipset PVEFW-venet0-ipset
>
>
> Why? There is no need to do the lookup if '-i venet0' fails.
Or do you think kernel/netfilter will do this lookup unconditionally/always?
More information about the pve-devel
mailing list