>>I now always use PVEFW-SET-ACCEPT-MARK for OUT chains, so that way we can >>re-use chains for the host firewall.
>>any objections ? I think it's ok,I'll do tests this afternoon. ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mercredi 26 Février 2014 07:26:51 Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces > with > -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT > -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN > -A vmbr0-FW -j ACCEPT > > or > -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT > -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN > -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT > (maybe this is better ?) > > it's working fine applied, but I have added another change: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff;h=fdb0bf200c4d48f0826c365ace8f126c535a4600 I now always use PVEFW-SET-ACCEPT-MARK for OUT chains, so that way we can re-use chains for the host firewall. any objections? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
