[pve-devel] optimize non-firewalled vms rules with devgroup

Alexandre DERUMIER aderumier at odiso.com
Sat Apr 26 13:24:29 CEST 2014


>>This is just an optimization? If so, feel free to add after testing.

Just tested, it's don't work with phydev devices... (so any device plug on a bridge)

IN=vmbr1 OUT=vmbr1 PHYSIN=bond0.94 PHYSOUT=tap110i0


this works only with IN= OUT= 


#ip link set dev vmbr1 group 1
#iptables -A FORWARD -m devgroup --src-group 1 -j LOG


(So, I keep it in mind if we want to use 1 bridge by tap model)


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Samedi 26 Avril 2014 11:29:05 
Objet: RE: [pve-devel] optimize non-firewalled vms rules with devgroup 

> 
> So, at begin of vmbrxxx, we just need to add: 
> 
> 
> -A vmbrxxx-IN -m devgroup --src-group name NOFWTAPS -j ACCEPT 

> -A vmbrxxx-OUT -m devgroup --src-group name NOFWTAPS -g PVEFW-SET- 
> ACCEPT-MARK 
> 
> 
> 
> (I don't have tested it yet) 
> 
> 
> What do you think about it ? 

This is just an optimization? If so, feel free to add after testing. 


More information about the pve-devel mailing list