Another Idea : It's possible with ipset, to dynamicaly add to ipset ipmap, an src ip from a iptables match
"iptables -m mac --mac-source $macaddr -j SET --add-set tapxxxipmap src" So, maybe is it possible to create 1 ipset ipmap by tap device, and in tap-out chain, add src(s) to tap ipset. Like this, we can have the list of all ips of all tap interfaces. so, it's easy to parse conntrack list, and find ips in ipsets. I never test this, but I think it should work. ----- Mail original ----- De: "Alexandre DERUMIER" <[email protected]> À: "Dietmar Maurer" <[email protected]> Cc: [email protected] Envoyé: Dimanche 2 Mars 2014 18:09:51 Objet: Re: [pve-devel] pvefw: using ctmark to associacte connections to VMs >>Bu t i just noticed that we need 2 different marks, because we can traffic >>from VM1 to VM2. So we need 2 marks/zones? Yes, in 1line conntrack line, you have in/out. not sure how to implemented that, as they are only 1 mark or 1 zone field. ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Dimanche 2 Mars 2014 09:07:19 Objet: RE: [pve-devel] pvefw: using ctmark to associacte connections to VMs Thanks for that link. Bu t i just noticed that we need 2 different marks, because we can traffic from VM1 to VM2. So we need 2 marks/zones? > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5 > d0aa2ccd4699a01cfdf14886191c249d7b45a01 > > netfilter: nf_conntrack: add support for "conntrack zones" > Normally, each connection needs a unique identity. Conntrack zones allow > to specify a numerical zone using the CT target, connections in different > zones can use the same identity. _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
