>>Why do we still need ' PVEFW-Accept' instead of -j NFQUEUE? in this case:
tap1-out : ACCEPT (ips off) -----> tap2-in : ACCEPT (ips on) We don't want always NFQUEUE in tap1-out, because ips is off, but we want NFQUEUE if the destination have ips on. >> group-in rules always replace ACCEPT by PVEFW-Accept > >maybe we can use the set mark hack here? I don't known how to implemented this, as a GROUP can do ACCEPT or NFQUEUE, if the group is used by a tap without/with ips. Maybe doing some checks at the begin of PVE-FORWARD, to see if tap-in have ips enabled, and add a specific mark ? Help is welcome ;) ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre Derumier" <[email protected]>, [email protected] Envoyé: Mercredi 19 Mars 2014 17:07:00 Objet: RE: [pve-devel] [PATCH] add ips feature v5 > for tap-out rules, > PVEFW-Accept is always use when connection is already established > -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept Why do we still need ' PVEFW-Accept' instead of -j NFQUEUE? > in tap-in chain, > I replace -j ACCEPT by -j NFQUEUE when ips is enabled > and > -m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE that is what I want. > group-in rules always replace ACCEPT by PVEFW-Accept maybe we can use the set mark hack here? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
