[pve-devel] RFC : iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Thu Jan 23 08:39:50 CET 2014
>>But the other direction does not work (HOST to VM).
>>Maybe no big problem unless the user assigns IP addresses to multiple bridges.
I'll do test today. Because I known openstack can use dhcpd from host, with different bridges + ip,
and they have dhcp inbound rules for the tap interfaces.
I'll try to make a sample of rules for
internet->host
host->internet
host->tap
tap->host
tap->tap
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Jeudi 23 Janvier 2014 07:11:48
Objet: RE: [pve-devel] RFC : iptables implementation
> They also add an -input rules for outgoing packet from tap. (I think this for from
> tap to host)
>
>
> -A INPUT -j proxmoxfw-chain-INPUT
> -A FORWARD -m physdev --physdev-out tap100i0 --physdev-is-bridged -j
> proxmoxfw-chain
> -A FORWARD -m physdev --physdev-in tap100i0 --physdev-is-bridged -j
> proxmoxfw-chain
>
> >> -A proxmoxfw-chain-INPUT -m physdev --physdev-in tap110i0 --physdev-is-
> bridged -j tap110i0-OUT
So we can filter from VM to HOST correctly - that conforms to the docs.
But the other direction does not work (HOST to VM).
Maybe no big problem unless the user assigns IP addresses to multiple bridges.
More information about the pve-devel
mailing list