> -A vmbr0-FW -m mark --mark 1 -j ACCEPT >>This is what we have currently. But this blocks traffic to 'unmanaged' tap >>devices (VMs with no firewall)
Yes, indeed, because we don't mark unmanaged tap, so it can't go to the accept >>So we would have: >> >>-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT >>-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN >>-A vmbr0-FW -m mark --mark 1 -j ACCEPT >>-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT >> >>But what exactly is the differenc to the original solution? >> >>-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT >>-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN >>-A vmbr0-FW -j ACCEPT >> >>Can you see/explain the difference? >>-A vmbr0-FW -m mark --mark 1 -j ACCEPT ACCEPT for managed tap rules >>-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT ACCEPT for other interfaces (unmanaged tap or ethx), but this is only for outgoing packets for ethX (bridge->eth) or incoming packets for unmanaged tap (bridge->tap) I don't remember, Why can't we simply use -A vmbr0-FW -j ACCEPT ? (instead -A vmbr0-FW -m mark --mark 1 -j ACCEPT ) for managed tap, if we don't have a DROP in tapchains, we should accept when returning in vmbr0-FW for unmanaged tap or ethX, we should ACCEPT in any case at the end of vmbr0-FW too. ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Jeudi 27 Février 2014 08:53:50 Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces I am still confused about those bridge chains: > > -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j > > vmbr0-OUT -A vmbr0-FW -m physdev --physdev-is-out --physdev-is- > bridged > > -j vmbr0-IN -A vmbr0-FW -m physdev --physdev-is-out > > --physdev-is-bridged -j ACCEPT (maybe this is better ?) > > After my change, I guess we need to add such ruke additionally: > > -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT > -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN > -A vmbr0-FW -m mark --mark 1 -j ACCEPT This is what we have currently. But this blocks traffic to 'unmanaged' tap devices (VMs with no firewall) > -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT Seems to solve that. So we would have: -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN -A vmbr0-FW -m mark --mark 1 -j ACCEPT -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT But what exactly is the differenc to the original solution? -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN -A vmbr0-FW -j ACCEPT Can you see/explain the difference? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
