> this is bad, because if you need to firewall tap1i0-OUT -> tap2-IN, it'll do > an > ACCEPT in group chain, and bypass tap2 inbound rules.
I wonder if we can use --mark to simply the whole thing? Maybe use -J MARK --set-mark 1 to mark packets which should be ACCEPTED? Does that help? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
