Re: [pve-devel] [PATCH] optimize bridge chains

Tue, 25 Feb 2014 03:13:24 -0800 

>>Just noticed that you still jump to vmbr0-IN instead of using 'RETURN' 

Yes,I just notice it too ;)
I'll send patch.



It's also missing bridge->ethX rule accept rule at the end of vmbr0
(IN=vmbr0 OUT=vmbr0 PHYSIN=tap110i0 PHYSOUT=eth0)

currently:
-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0
-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP

-A vmbr0 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT 
-A vmbr0 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN

-A vmbr0 -j ACCEPT   >>> This accept from physical interface ethX plugged on 
bridge



But if we do:

-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-in --physdev-is-bridged -j 
vmbr0-OUT
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-out --physdev-is-bridged -j 
vmbr0-IN
-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP

I think we need to find the ethX interface plugged on vmbr0, and add rule 
before DROP



don't known, what is the best way ?




----- Mail original ----- 

De: "Dietmar Maurer" <[email protected]> 
À: "Alexandre DERUMIER" <[email protected]> 
Cc: [email protected] 
Envoyé: Mardi 25 Février 2014 12:03:35 
Objet: RE: [pve-devel] [PATCH] optimize bridge chains 

Just noticed that you still jump to vmbr0-IN instead of using 'RETURN' 

exists tap100i0-OUT (OJ24RKwkwqb9Xm9aIuRWjhQ1BL4) 
-A tap100i0-OUT -m conntrack --ctstate INVALID -j DROP 
-A tap100i0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP 
-A tap100i0-OUT -j GROUP-group1-OUT 
# I thought we now can use RETURN here? 
-A tap100i0-OUT -m mark --mark 1 -g vmbr0-IN 
-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4 
-A tap100i0-OUT -j DROP 


> -----Original Message----- 
> From: Alexandre DERUMIER [mailto:[email protected]] 
> Sent: Dienstag, 25. Februar 2014 11:22 
> To: Dietmar Maurer 
> Cc: [email protected] 
> Subject: Re: [pve-devel] [PATCH] optimize bridge chains 
> 
> >>can't we jump from PVEFW-FORWARD directly A vmbr0-IN/vmbr0-OUT ? 
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to