> But isn't it slower (more taps(in|out) to check), than simply use > > -m conntrack --ctstate RELATED,ESTABLISHED -j PVE-Accept at the begin of > FORWARD ?
Maybe, but still faster than -j PVEFW-Accept? And we only need to do that when ips is enabled. _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
