>>This will overwrite the mark set by the -OUT chain, so this breaks the basic >>flow?
I don't think it's a problem, the mark is only use, after -out chain, at the end of vmbr1-FW -A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT -A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN -A vmbr1-FW -m mark --mark 0x1 -j ACCEPT so, in the case of any tap-in chain don't have matched. (so it don't go in group-in too, and mark is not overwrited) ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre Derumier" <[email protected]>, [email protected] Envoyé: Vendredi 21 Mars 2014 08:09:43 Objet: RE: [pve-devel] [PATCH] add ips feature v6 > group-in rules now use also mark This will overwrite the mark set by the -OUT chain, so this breaks the basic flow? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
