[pve-devel] pvefw: why do we check vmbr0-IN for INPUT
Dietmar Maurer
dietmar at proxmox.com
Fri Feb 21 09:25:15 CET 2014
> >>I am quit unsure about that. It is really difficult to understand that setup.
> >>Maybe we can use the --state to simplify things?
>
> Do you have an example ?
Thought a bit more about that, and I wonder if we really need to you jump to vmbr0-IN?
I can see that this is an optimization? But we could also use a simple RETURN instead?
exists tap100i0-OUT (OJ24RKwkwqb9Xm9aIuRWjhQ1BL4)
-A tap100i0-OUT -m conntrack --ctstate INVALID -j DROP
-A tap100i0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP
-A tap100i0-OUT -j GROUP-group1-OUT
-A tap100i0-OUT -m mark --mark 1 -g vmbr0-IN #NOTE we can also RETURN here?
-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4
-A tap100i0-OUT -j DROP
More information about the pve-devel
mailing list