[pve-devel] [PATCH] add ips feature v2
Dietmar Maurer
dietmar at proxmox.com
Mon Mar 17 13:02:54 CET 2014
We use '-j ACCEPT' at many places. Each of those calls will bypass the ips?
So shouldn't we replace all occurrences of '-J ACCEPT'?
> This add ips (like suricata) support through nfqueues.
>
> this create a new chain PVEFW-Accept
>
> -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
> PVEFW-Accept
> -A PVEFW-Accept -m physdev --physdev-out tapxxx --physdev-is-bridged -j
> NFQUEUE --queue-num 0 --queue-bypass
> -A PVEFW-Accept -m physdev --physdev-out tapxxx --physdev-is-bridged -j
> NFQUEUE --queue-num 0 --queue-bypass
> -A PVEFW-Accept -j ACCEPT
>
> it's using --queue-bypass (only available in 3.10 kernel), so it's suricata
> daemon is down,
> packets are not dropped.
More information about the pve-devel
mailing list