[pve-devel] review of dietmar patches
Alexandre Derumier
aderumier at odiso.com
Mon May 12 13:33:12 CEST 2014
Ok, all seem to works fine now.
tap->tap
tap->host
host->tap
tap->vnet0
vnet0->tap
vnet0->host
host->vnet0
optimisation could be done in tap-out and veth-out chains,
we can do ACCEPT instead return for theses chains
(to avoid to scan all tapxxx-OUT chains in PVEFW-FWBR-OUT)
before
------
-A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -g PVEFW-SET-ACCEPT-MARK
-A tap123i0-OUT -j GROUP-group1-OUT
-A tap123i0-OUT -m mark --mark 0x1 -j RETURN
after
-----
-A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A tap123i0-OUT -j GROUP-group1-OUT
-A tap123i0-OUT -m mark --mark 0x1 -j ACCEPT
More information about the pve-devel
mailing list