[pve-devel] pve-firewall : new model v1
Dietmar Maurer
dietmar at proxmox.com
Fri May 9 12:09:32 CEST 2014
applied pach 2-4, but skipped patch 1/4
> -----Original Message-----
> From: pve-devel [mailto:pve-devel-bounces at pve.proxmox.com] On Behalf
> Of Alexandre Derumier
> Sent: Freitag, 09. Mai 2014 09:47
> To: pve-devel at pve.proxmox.com
> Subject: [pve-devel] pve-firewall : new model v1
>
> details are in commit,
> but this look globally like this
>
>
> -A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
> -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A PVEFW-
> FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A
> PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
> -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
> -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-
> smurfs
> -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-
> bridged -j tap123i0-IN
> -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-
> bridged -j veth0.0-IN -A PVEFW-FORWARD -m physdev --physdev-is-bridged
> --physdev-out link+ -j PVEFW-FWBR-OUT
> -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
> -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list