>>Thought a bit more about that, and I wonder if we really need to you jump to >>vmbr0-IN? >>I can see that this is an optimization? But we could also use a simple RETURN >>instead?
Yes, it's an optimization, to not test other tap chains in VMBR-OUT. If we want to use return in tap chain, I think we can optimize parent chain like this (Like openstack implementation) iptables -A proxmoxfw-FORWARD -o vmbr1 -m physdev --physdev-is-bridged -j vmbr1 iptables -A proxmoxfw-FORWARD -i vmbr1 -m physdev --physdev-is-bridged -j vmbr1 iptables -A proxmoxfw-FORWARD -i vmbr1 -j DROP #disable interbridge routing iptables -A proxmoxfw-FORWARD -o vmbr1 -j DROP # disable interbridge routing iptables -A vmbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr1-OUT iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr1-IN iptables -A vmbr1 -j ACCEPT iptables -N tap110i0-OUT iptables -A vmbr1-OUT -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tap110i0-OUT iptables -N tap123i0-OUT iptables -A vmbr1-OUT -m physdev --physdev-in tap123i0 --physdev-is-bridged -j tap123i0-OUT ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Vendredi 21 Février 2014 09:25:15 Objet: RE: pvefw: why do we check vmbr0-IN for INPUT > >>I am quit unsure about that. It is really difficult to understand that > >>setup. > >>Maybe we can use the --state to simplify things? > > Do you have an example ? Thought a bit more about that, and I wonder if we really need to you jump to vmbr0-IN? I can see that this is an optimization? But we could also use a simple RETURN instead? exists tap100i0-OUT (OJ24RKwkwqb9Xm9aIuRWjhQ1BL4) -A tap100i0-OUT -m conntrack --ctstate INVALID -j DROP -A tap100i0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP -A tap100i0-OUT -j GROUP-group1-OUT -A tap100i0-OUT -m mark --mark 1 -g vmbr0-IN #NOTE we can also RETURN here? -A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4 -A tap100i0-OUT -j DROP _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
