[pve-devel] broken system / pve-firewall

Dietmar Maurer dietmar at proxmox.com
Mon Mar 20 06:19:01 CET 2017


> Am 19.03.2017 um 21:42 schrieb Dietmar Maurer:
> >> To me the main question is why does pve-cluster provide a default of 0
> >> which disables iptables for bridges and makes pve-firewall useless for
> >> linux bridges.
> > 
> > AFAIR this is for performance reasons ...
> 
> sure but pve-firewall isn't working in that case?

If you set that flag, all traffic on the bridge is sent to the NF queue.
You don't want that if you don't filter traffic, because it just slows
down traffic without any gain.

But if the firewall is active, we set that flag. The question is
who/what removes the flag?




More information about the pve-devel mailing list