> FORWARD -> proxmoxfw-chain ->jump in tap chain1 > <-return or drop > ->jump in tap chain2 > <-return or drop > > ->ACCEPT > > > don't known if it's better than
>>Above would only handle traffic originated from a VM and skip traffic from >>outside (eth0)? maybe. I think we shouldn't filter from ethX, because outside can be also other hosts with others vm. (Or maybe users want to add some custom rules on ethX to protect the host itself, like this it doesn't conflict with openstack rules) also,maybe they are doing like this to add later some custom rules before the ACCEPT. ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Mercredi 22 Janvier 2014 17:03:38 Objet: RE: [pve-devel] RFC : iptables implementation > FORWARD -> proxmoxfw-chain ->jump in tap chain1 > <-return or drop > ->jump in tap chain2 > <-return or drop > > ->ACCEPT > > > don't known if it's better than Above would only handle traffic originated from a VM and skip traffic from outside (eth0)? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
