[pve-devel] [PATCH] add ips feature v5
Alexandre DERUMIER
aderumier at odiso.com
Wed Mar 19 19:44:51 CET 2014
>>I do not understand this. In tap-out we simply set the mark (we do not jump to ACCEPT there),
>>so why is that a problem?
Not for conntrack
-N tapXXXi0-OUT
-A tapXXXi0-OUT -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A tapXXXi0-OUT -p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT-MARK
-A tapXXXi0-OUT -p tcp -j PVEFW-tcpflags
-A tapXXXi0-OUT -m conntrack --ctstate INVALID -j DROP
-A tapXXXi0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> HERE
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 19 Mars 2014 19:34:31
Objet: RE: [pve-devel] [PATCH] add ips feature v5
> in this case:
>
> tap1-out : ACCEPT (ips off) -----> tap2-in : ACCEPT (ips on)
>
>
> We don't want always NFQUEUE in tap1-out, because ips is off, but we want
> NFQUEUE if the destination have ips on.
I do not understand this. In tap-out we simply set the mark (we do not jump to ACCEPT there),
so why is that a problem?
More information about the pve-devel
mailing list