>>What about this case: >> >>ethX->unmanaged-tap : >> -------------- >>incoming ethX is not firewalled >>outgoing tap is not managed by our firewall
with -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN -A vmbr0-FW -j ACCEPT or -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT (maybe this is better ?) it's working fine (they are no filtering on tap, and the ACCEPT is done at the end) ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mardi 25 Février 2014 16:55:51 Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces > I see 3 cases: > > ethX->tap-in : > -------------- > incoming ethX is not firewall > tap-in do the ACCEPT > > tap out->tap in : > ---------------- > tap-out do the RETURN > tap-in do the ACCEPT > > tap out->ethX : > --------------- > tap-out do the RETURN, > so we need an accept for ethX What about this case: ethX->unmanaged-tap : -------------- incoming ethX is not firewall outgoing tap is not managed by our firewall _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
