[pve-devel] optimize non-firewalled vms rules with devgroup
aderumier at odiso.com
Sat Apr 26 13:24:29 CEST 2014
>>This is just an optimization? If so, feel free to add after testing.
Just tested, it's don't work with phydev devices... (so any device plug on a bridge)
IN=vmbr1 OUT=vmbr1 PHYSIN=bond0.94 PHYSOUT=tap110i0
this works only with IN= OUT=
#ip link set dev vmbr1 group 1
#iptables -A FORWARD -m devgroup --src-group 1 -j LOG
(So, I keep it in mind if we want to use 1 bridge by tap model)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Samedi 26 Avril 2014 11:29:05
Objet: RE: [pve-devel] optimize non-firewalled vms rules with devgroup
> So, at begin of vmbrxxx, we just need to add:
> -A vmbrxxx-IN -m devgroup --src-group name NOFWTAPS -j ACCEPT
> -A vmbrxxx-OUT -m devgroup --src-group name NOFWTAPS -g PVEFW-SET-
> (I don't have tested it yet)
> What do you think about it ?
This is just an optimization? If so, feel free to add after testing.
More information about the pve-devel