>>Oh, I guess that is why you use --physdev-is-bridged? So we simply accept routed traffic from the host?
Too be honest, I just copied rules from openstack, I don't have read the doc yet about --physdev-is-bridged. But openstack add incoming rules for dhcp packets coming from the host. They also add an -input rules for outgoing packet from tap. (I think this for from tap to host) -A INPUT -j proxmoxfw-chain-INPUT -A FORWARD -m physdev --physdev-out tap100i0 --physdev-is-bridged -j proxmoxfw-chain -A FORWARD -m physdev --physdev-in tap100i0 --physdev-is-bridged -j proxmoxfw-chain >> -A proxmoxfw-chain-INPUT -m physdev --physdev-in tap110i0 >> --physdev-is-bridged -j tap110i0-OUT -A proxmoxfw-chain -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-in -A proxmoxfw-chain -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-out ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Mercredi 22 Janvier 2014 19:45:41 Objet: RE: [pve-devel] RFC : iptables implementation > I am also concerned about this: > > --quote-shorewall-docs-- > As described above, Shorewall bridge support requires the physdev match > feature of Netfilter/iptables. Physdev match allows rules to be triggered > based > on the bridge port that a packet arrived on and/or the bridge port that a > packet > will be sent over. The latter has proved to be problematic because it > requires > that the evaluation of rules be deferred until the destination bridge port is > known. This deferral has the unfortunate side effect that it makes IPSEC > Netfilter filtration incompatible with bridges. To work around this problem, > in > kernel version 2.6.20 the Netfilter developers decided to remove the deferred > processing in two cases: > > When a packet being sent through a bridge entered the firewall on another > interface and was being forwarded to the bridge. > > When a packet originating on the firewall itself is being sent through a > bridge. > > Notice that physdev match was only weakened with respect to the destination > bridge port -- it remains fully functional with respect to the source bridge > port. > --end-quote-- > > I above is right, things will not work as expected. Oh, I guess that is why you use --physdev-is-bridged? So we simply accept routed traffic from the host? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel