> Yes, it's an optimization, to not test other tap chains in VMBR-OUT. If we use RETURN, we can reuse vmbr0-OUT for the hostfw?
> If we want to use return in tap chain, I think we can optimize parent chain > like > this > (Like openstack implementation) > > > iptables -A proxmoxfw-FORWARD -o vmbr1 -m physdev --physdev-is- > bridged -j vmbr1 > iptables -A proxmoxfw-FORWARD -i vmbr1 -m physdev --physdev-is-bridged > -j vmbr1 > iptables -A proxmoxfw-FORWARD -i vmbr1 -j DROP #disable interbridge > routing > iptables -A proxmoxfw-FORWARD -o vmbr1 -j DROP # disable interbridge > routing > > iptables -A vmbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr1- > OUT > iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-out -j > vmbr1-IN > iptables -A vmbr1 -j ACCEPT The way we cannot reuse it for the host firewall? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
