>>can't we jump from PVEFW-FORWARD directly A vmbr0-IN/vmbr0-OUT ? I'm not sure, but should be tested (I have taken the cloudstack implementation)
currently: -A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0 -A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0 -A PVEFW-FORWARD -o vmbr0 -j DROP -A PVEFW-FORWARD -i vmbr0 -j DROP -A vmbr0 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT -A vmbr0 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN so, we check for -o vmbr0 , vmbr0-OUT/IN and for -i vmbr0 , vmbr0-OUT/IN. I'll do tests today. ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mardi 25 Février 2014 10:40:09 Objet: RE: [pve-devel] [PATCH] optimize bridge chains > >>confused - does it work, or is there something we need to fix? > > Well, the rules seem good, I have tested them and it's working fine. > > But I don't known why it's hanging when testing the hash... do we reall need all those chains ? -A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0 -A vmbr0 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT -A vmbr0 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN -A vmbr0-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN -A vmbr0-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT can't we jump from PVEFW-FORWARD directly A vmbr0-IN/vmbr0-OUT ? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
