> for tap-out rules, > PVEFW-Accept is always use when connection is already established > -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept
Why do we still need ' PVEFW-Accept' instead of -j NFQUEUE? > in tap-in chain, > I replace -j ACCEPT by -j NFQUEUE when ips is enabled > and > -m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE that is what I want. > group-in rules always replace ACCEPT by PVEFW-Accept maybe we can use the set mark hack here? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
