[pve-devel] [PATCH] optimize bridge chains

Alexandre DERUMIER aderumier at odiso.com
Tue Feb 25 12:12:30 CET 2014 

>>Just noticed that you still jump to vmbr0-IN instead of using 'RETURN' 

Yes,I just notice it too ;)
I'll send patch.



It's also missing bridge->ethX rule accept rule at the end of vmbr0
(IN=vmbr0 OUT=vmbr0 PHYSIN=tap110i0 PHYSOUT=eth0)

currently:
-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0
-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP

-A vmbr0 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT 
-A vmbr0 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN

-A vmbr0 -j ACCEPT   >>> This accept from physical interface ethX plugged on bridge



But if we do:

-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP

I think we need to find the ethX interface plugged on vmbr0, and add rule before DROP



don't known, what is the best way ?




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 25 Février 2014 12:03:35 
Objet: RE: [pve-devel] [PATCH] optimize bridge chains 

Just noticed that you still jump to vmbr0-IN instead of using 'RETURN' 

exists tap100i0-OUT (OJ24RKwkwqb9Xm9aIuRWjhQ1BL4) 
-A tap100i0-OUT -m conntrack --ctstate INVALID -j DROP 
-A tap100i0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP 
-A tap100i0-OUT -j GROUP-group1-OUT 
# I thought we now can use RETURN here? 
-A tap100i0-OUT -m mark --mark 1 -g vmbr0-IN 
-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4 
-A tap100i0-OUT -j DROP 


> -----Original Message----- 
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com] 
> Sent: Dienstag, 25. Februar 2014 11:22 
> To: Dietmar Maurer 
> Cc: pve-devel at pve.proxmox.com 
> Subject: Re: [pve-devel] [PATCH] optimize bridge chains 
> 
> >>can't we jump from PVEFW-FORWARD directly A vmbr0-IN/vmbr0-OUT ?

More information about the pve-devel mailing list