>>But we should only accept packages which originates from VMs? I see 3 cases:
ethX->tap-in : -------------- incoming ethX is not firewall tap-in do the ACCEPT tap out->tap in : ---------------- tap-out do the RETURN tap-in do the ACCEPT tap out->ethX : --------------- tap-out do the RETURN, so we need an accept for ethX I have look at cloudstack, they are doing -A vmbr0 -m physdev --physdev-is-bridged --physdev-out $physdev -j ACCEPT where $physdev is ethX,bondX plugged in the bridge but maybe -A vmbr0 -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT is enough ? ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre Derumier" <[email protected]>, [email protected] Envoyé: Mardi 25 Février 2014 16:25:00 Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces > We need to accept traffic at the end of bridge rules for outgoing packets > from tap->ethX, as we don't do ACCEPT in tap-out rules. But we should only accept packages which originates from VMs? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
