[PVE-User] ipfilter functionality
Mark Schouten
mark at tuxis.nl
Fri Apr 13 11:18:07 CEST 2018
On Fri, 2018-04-13 at 11:11 +0200, Wolfgang Bumiller wrote:
> For simple connections this works, but then you also break multicast
> traffic unless you add all multicast IPs to the ipfilter as well. The
> real solution would be to move the conntrack rules from PVEFW-FORWARD
> into tap/veth${vmid}i* to below the ipfilter.
True. But moving the conntrack rules to every individual chain extends
the ruleset, a lot. Multicast addresses are pretty much limited to
two(?) subnets, which could be added to an already existing ipset,
which the kernel already visits.
I'm no kernel guru, I have the feeling that increasing the ruleset is
more resourcehungry.
Either way, it would be great if this would be fixed!
--
Kerio Operator in de Cloud? https://www.kerioindecloud.nl/
Mark Schouten | Tuxis Internet Engineering
KvK: 61527076 | http://www.tuxis.nl/
T: 0318 200208 | info at tuxis.nl
More information about the pve-user
mailing list