>>That would accept packages where --physdev-is-out is not set (can that >>happen?)?
I don't think it can happen in FORWARD. but it's possible in INPUT or OUTPUT (host -> physin(tap,eth..) , physout(tap,eth)->host) ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Jeudi 27 Février 2014 10:54:21 Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces > I don't remember, Why can't we simply use > > -A vmbr0-FW -j ACCEPT ? (instead -A vmbr0-FW -m mark --mark 1 -j ACCEPT > ) > for managed tap, if we don't have a DROP in tapchains, we should accept > when returning in vmbr0-FW > for unmanaged tap or ethX, we should ACCEPT in any case at the end of > vmbr0-FW too. That would accept packages where --physdev-is-out is not set (can that happen?)? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
