[PVE-User] ipfilter functionality

Mark Schouten mark at tuxis.nl
Fri Apr 13 11:18:07 CEST 2018

On Fri, 2018-04-13 at 11:11 +0200, Wolfgang Bumiller wrote:
> For simple connections this works, but then you also break multicast
> traffic unless you add all multicast IPs to the ipfilter as well. The
> real solution would be to move the conntrack rules from PVEFW-FORWARD
> into tap/veth${vmid}i* to below the ipfilter.

True. But moving the conntrack rules to every individual chain extends
the ruleset, a lot. Multicast addresses are pretty much limited to
two(?) subnets, which could be added to an already existing ipset,
which the kernel already visits.

I'm no kernel guru, I have the feeling that increasing the ruleset is
more resourcehungry.

Either way, it would be great if this would be fixed!

Kerio Operator in de Cloud? https://www.kerioindecloud.nl/
Mark Schouten  | Tuxis Internet Engineering
KvK: 61527076  | http://www.tuxis.nl/
T: 0318 200208 | info at tuxis.nl

More information about the pve-user mailing list