> I am also concerned about this: > > --quote-shorewall-docs-- > As described above, Shorewall bridge support requires the physdev match > feature of Netfilter/iptables. Physdev match allows rules to be triggered > based > on the bridge port that a packet arrived on and/or the bridge port that a > packet > will be sent over. The latter has proved to be problematic because it requires > that the evaluation of rules be deferred until the destination bridge port is > known. This deferral has the unfortunate side effect that it makes IPSEC > Netfilter filtration incompatible with bridges. To work around this problem, > in > kernel version 2.6.20 the Netfilter developers decided to remove the deferred > processing in two cases: > > When a packet being sent through a bridge entered the firewall on another > interface and was being forwarded to the bridge. > > When a packet originating on the firewall itself is being sent through a > bridge. > > Notice that physdev match was only weakened with respect to the destination > bridge port -- it remains fully functional with respect to the source bridge > port. > --end-quote-- > > I above is right, things will not work as expected.
Oh, I guess that is why you use --physdev-is-bridged? So we simply accept routed traffic from the host? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
