[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
Dietmar Maurer
dietmar at proxmox.com
Thu Feb 27 08:53:50 CET 2014
I am still confused about those bridge chains:
> > -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j
> > vmbr0-OUT -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-
> bridged
> > -j vmbr0-IN -A vmbr0-FW -m physdev --physdev-is-out
> > --physdev-is-bridged -j ACCEPT (maybe this is better ?)
>
> After my change, I guess we need to add such ruke additionally:
>
> -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
> -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
> -A vmbr0-FW -m mark --mark 1 -j ACCEPT
This is what we have currently. But this blocks traffic to 'unmanaged' tap devices (VMs with no firewall)
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
Seems to solve that.
So we would have:
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
-A vmbr0-FW -m mark --mark 1 -j ACCEPT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
But what exactly is the differenc to the original solution?
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
-A vmbr0-FW -j ACCEPT
Can you see/explain the difference?
More information about the pve-devel
mailing list