mmmm,
-A PVEFW-INPUT -m physdev --physdev-in tap100i0 -j tap100i0-OUT this is to manage tap outrules -> host. but after it's using tap chain...that's why it's go to vmbr0-IN. (I think it's doing nothing, but it's an overhead). Maybe can we manage special tap chain for these tap out->host rule ? We drop all by default, but maybe later we'll need to open something like dhcp, if we manage an dhcp server on proxmox host. ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER ([email protected])" <[email protected]> Cc: [email protected] Envoyé: Jeudi 20 Février 2014 17:40:24 Objet: pvefw: why do we check vmbr0-IN for INPUT Why do we check vmbr0-IN for INPUT? ----- -A PVEFW-INPUT -m physdev --physdev-in tap100i0 -j tap100i0-OUT … -A tap100i0-OUT -m mark --mark 0x1 -g vmbr0-IN … -A vmbr0-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN -A vmbr0-IN -j ACCEPT … That looks strange to me. _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
