>>If you trigger an 'ACCEPT' inside the 'tap110i0-out' chain, the input >>chain 'tap120i0-in' is never processed?
Ok,I understand, I'll test it today ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Mercredi 22 Janvier 2014 08:19:02 Objet: RE: [pve-devel] RFC : iptables implementation > -----Original Message----- > From: pve-devel-boun...@pve.proxmox.com [mailto:pve-devel- > boun...@pve.proxmox.com] On Behalf Of Dietmar Maurer > Sent: Mittwoch, 22. Jänner 2014 08:13 > To: Alexandre DERUMIER > Cc: pve-devel > Subject: Re: [pve-devel] RFC : iptables implementation > > > >>I am not sure if that model correctly handle traffic form one VM to > > >>another > > (traffic from VM1 to VM2)? > > >>Because you would need to apply out rules for VM1, the in rules for VM2. > > >>Does that work - if so how? > > > > Well, is like to have 2vms behind 2 firewalls. > > OK, so I just believe you that this will work ;-) (I just wonder why > shorewall need > those forwarding chains if it work without) for example: --------------- #out iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in tap110i0 -j tap110i0-out #in iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out tap120i0 -j tap120i0-in ------------ If you trigger an 'ACCEPT' inside the 'tap110i0-out' chain, the input chain 'tap120i0-in' is never processed? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
