[pve-devel] pvefw security group question
Alexandre DERUMIER
aderumier at odiso.com
Wed Feb 19 10:21:18 CET 2014
>>No, this is a miss-understanding.
>>
>>We need separate GROUP-IN and GROUP-OUT rules.
Ok :)
>>My question was if we should allow to apply them independently.
>>Currently, a VM can only use GROUP-IN for example.
>>
>>got it?
No, sorry :(
with my patches, we could already apply GROUP-IN in TAP-IN, and GROUP-OUT in TAP-OUT
only difference between out/in group was, -j PVEFW-BRIDGE-IN or -j ACCEPT.
(Not that with mark, it's improved, because we can jump directly to -j VMBRX-IN)
About your patches, iptables-restore hanging here for me:
-A tap110i0-IN -m mark --mark 1 -g vmbr1-IN
any idea ? (settings mark in other chains works fine)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 19 Février 2014 09:51:15
Objet: RE: [pve-devel] pvefw security group question
> (But finally, you create GROUP-IN and GROUP-OUT rules ? I thinked you
> wanted common group rules)
No, this is a miss-understanding.
We need separate GROUP-IN and GROUP-OUT rules.
My question was if we should allow to apply them independently.
Currently, a VM can only use GROUP-IN for example.
got it?
More information about the pve-devel
mailing list