Re: [pve-devel] pvefw security group question

Dietmar Maurer Wed, 19 Feb 2014 03:20:56 -0800

> -A tap110i0-OUT -j GROUP-security1-OUT
>       -A GROUP-security1-OUT -j MARK --set-xmark 0x0/0xffffffff
>       -A GROUP-security1-OUT -p icmp -g PVEFW-SET-ACCEPT-MARK
>       -A GROUP-security1-OUT -p tcp -m tcp --dport 22 -g PVEFW-SET-
> ACCEPT-MARK
>       -A GROUP-security1-OUT -m comment --comment
> "PVESIG:H5gNFciXSlxFB/xpDqyG9l5+v6M"
> 
> 
> -A tap110i0-OUT -m mark --mark 0x1 -g vmbr1-IN
> 
> 
> we do a goto to PVEFW-SET-ACCEPT-MARK, but how can this return to TAP
> chain ?


this is called from vmbrX-OUT, so it directly returns to that chain.
I thought there is no need to return to tap110i0-OUT ?

> (I don't have tested it yet)
> 
> I think we should do something like this:
> 
> -A tap110i0-OUT -j GROUP-security1-OUT
>       -A GROUP-security1-OUT -j MARK --set-xmark 0x0/0xffffffff
>       -A GROUP-security1-OUT -p icmp -j PVEFW-SET-ACCEPT-MARK
>          A GROUP-security1-OUT -m mark --mark 0x1 -j RETURN
>       -A GROUP-security1-OUT -p tcp -m tcp --dport 22 -j PVEFW-SET-ACCEPT-MARK
>         -A GROUP-security1-OUT -m mark --mark 0x1 -j RETURN
>       -A GROUP-security1-OUT -m comment --comment
> "PVESIG:H5gNFciXSlxFB/xpDqyG9l5+v6M"
> 
> -A tap110i0-OUT -m mark --mark 0x1 -g vmbr1-IN

This is clumsy, but does exactly the same as my code - or what is the 
difference?
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] pvefw security group question

Reply via email to