>>Sorry, I don't get that. What problem does that solve? I thought you want to
>>enable ips per VM?
I was to avoid going into each tap-out device then -g PVEFW-SET-ACCEPT-MARK.
go directly to vmbr-OUT
>> -A tapXXXi0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >>
>> HERE
>>
>
>>Maybe we can/should replace that with -g PVEFW-SET-ACCEPT-MARK?
here an example:
tap100 : no ips
tap200 : ips
-A PVEFW-FORWARD -o vmbr1 -m physdev --physdev-is-out -j vmbr1-FW
-A PVEFW-FORWARD -i vmbr1 -m physdev --physdev-is-in -j vmbr1-FW
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT
-A vmbr1-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN (or
ACCEPT if no ips in any taps of the bridge)
-A vmbr1-OUT -m physdev --physdev-in tap100i0 -j tap100i0-OUT
-A vmbr1-OUT -m physdev --physdev-in tap200i0 -j tap200i0-OUT
-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
-A vmbr1-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j
tap100i0-IN
-A vmbr1-IN -m physdev --physdev-out tap200i0 --physdev-is-bridged -j
tap100i0-IN
-A tap200i0-IN -m conntrack --ctstate RELATED,ESTABLISHED -j
NFQUEUE --queue-num 0 --queue-bypass
-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT
-A vmbr1-FW -m comment --comment "PVESIG:fmNVk/D2Npe3kjrx6hn27VKjdMg"
----- Mail original -----
De: "Dietmar Maurer" <[email protected]>
À: "Alexandre DERUMIER" <[email protected]>
Cc: [email protected]
Envoyé: Jeudi 20 Mars 2014 08:09:40
Objet: RE: [pve-devel] [PATCH] add ips feature v5
> maybe could we add
>
> -A vmbrX-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
>
> at the beginning of vmbrX-OUT ?
>>Sorry, I don't get that. What problem does that solve? I thought you want to
>>enable ips per VM?
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
