> Not for conntrack > > -N tapXXXi0-OUT > -A tapXXXi0-OUT -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs -A > tapXXXi0-OUT -p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT- > MARK -A tapXXXi0-OUT -p tcp -j PVEFW-tcpflags -A tapXXXi0-OUT -m > conntrack --ctstate INVALID -j DROP > -A tapXXXi0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> > HERE >
Maybe we can/should replace that with -g PVEFW-SET-ACCEPT-MARK? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
