>>I thought we can simply goto a special chain (instead of ACCEPT). >> >>GROUP-security2 chain: >>-A GROUP-security2 -p ssh -g PVE_SPECIAL_ACCEPT >>...
>>PVE_SPECIAL_ACCEPT chain: >>-A PVE_SPECIAL_ACCEPT -j MARK --set-mark 1 >> >>Do you think that will work? Not sure, you do a goto PVE_SPECIAL_ACCEPT, so it's finished in PVE_SPECIAL_ACCEPT. But how do you go in the in vmbrX-IN, to check destination inbound rules ? ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mercredi 19 Février 2014 06:39:17 Objet: RE: [pve-devel] pvefw security group question > I have thinked about it, it's a little bit more complex, we need to check the > mark after each mark, to be sur to exit the chain, as if we have a DROP rule > after,it'll not work I thought we can simply goto a special chain (instead of ACCEPT). GROUP-security2 chain: -A GROUP-security2 -p ssh -g PVE_SPECIAL_ACCEPT ... PVE_SPECIAL_ACCEPT chain: -A PVE_SPECIAL_ACCEPT -j MARK --set-mark 1 Do you think that will work? > Also we need to reset the mark in the IN chain, because group rules use > same mark yes _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
