[pve-devel] RFC : iptables implementation
Dietmar Maurer
dietmar at proxmox.com
Wed Jan 22 08:19:02 CET 2014
> -----Original Message-----
> From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel-
> bounces at pve.proxmox.com] On Behalf Of Dietmar Maurer
> Sent: Mittwoch, 22. Jänner 2014 08:13
> To: Alexandre DERUMIER
> Cc: pve-devel
> Subject: Re: [pve-devel] RFC : iptables implementation
>
> > >>I am not sure if that model correctly handle traffic form one VM to
> > >>another
> > (traffic from VM1 to VM2)?
> > >>Because you would need to apply out rules for VM1, the in rules for VM2.
> > >>Does that work - if so how?
> >
> > Well, is like to have 2vms behind 2 firewalls.
>
> OK, so I just believe you that this will work ;-) (I just wonder why shorewall need
> those forwarding chains if it work without)
for example:
---------------
#out
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in tap110i0 -j tap110i0-out
#in
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out tap120i0 -j tap120i0-in
------------
If you trigger an 'ACCEPT' inside the 'tap110i0-out' chain, the input
chain 'tap120i0-in' is never processed?
More information about the pve-devel
mailing list