[pve-devel] RFC : iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Wed Jan 22 09:19:05 CET 2014
>>If you trigger an 'ACCEPT' inside the 'tap110i0-out' chain, the input
>>chain 'tap120i0-in' is never processed?
Ok,I understand, I'll test it today
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 22 Janvier 2014 08:19:02
Objet: RE: [pve-devel] RFC : iptables implementation
> -----Original Message-----
> From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel-
> bounces at pve.proxmox.com] On Behalf Of Dietmar Maurer
> Sent: Mittwoch, 22. Jänner 2014 08:13
> To: Alexandre DERUMIER
> Cc: pve-devel
> Subject: Re: [pve-devel] RFC : iptables implementation
>
> > >>I am not sure if that model correctly handle traffic form one VM to
> > >>another
> > (traffic from VM1 to VM2)?
> > >>Because you would need to apply out rules for VM1, the in rules for VM2.
> > >>Does that work - if so how?
> >
> > Well, is like to have 2vms behind 2 firewalls.
>
> OK, so I just believe you that this will work ;-) (I just wonder why shorewall need
> those forwarding chains if it work without)
for example:
---------------
#out
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in tap110i0 -j tap110i0-out
#in
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out tap120i0 -j tap120i0-in
------------
If you trigger an 'ACCEPT' inside the 'tap110i0-out' chain, the input
chain 'tap120i0-in' is never processed?
More information about the pve-devel
mailing list