[pve-devel] RFC : iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Wed Jan 22 18:27:07 CET 2014
> FORWARD -> proxmoxfw-chain ->jump in tap chain1
> <-return or drop
> ->jump in tap chain2
> <-return or drop
>
> ->ACCEPT
>
>
> don't known if it's better than
>>Above would only handle traffic originated from a VM and skip traffic from outside (eth0)?
maybe. I think we shouldn't filter from ethX, because outside can be also other hosts with others vm.
(Or maybe users want to add some custom rules on ethX to protect the host itself, like this it doesn't conflict with openstack rules)
also,maybe they are doing like this to add later some custom rules before the ACCEPT.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 22 Janvier 2014 17:03:38
Objet: RE: [pve-devel] RFC : iptables implementation
> FORWARD -> proxmoxfw-chain ->jump in tap chain1
> <-return or drop
> ->jump in tap chain2
> <-return or drop
>
> ->ACCEPT
>
>
> don't known if it's better than
Above would only handle traffic originated from a VM and skip traffic from outside (eth0)?
More information about the pve-devel
mailing list