By the way, I understand now why they are doing this: -A proxmoxfw-FORWARD -m physdev --physdev-out tap110i0 --physdev-is-bridged -j tapchains -A proxmoxfw-FORWARD -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tapchains -A proxmoxfw-FORWARD -m physdev --physdev-out tap115i0 --physdev-is-bridged -j tapchains -A proxmoxfw-FORWARD -m physdev --physdev-in tap115i0 --physdev-is-bridged -j tapchains
-A tapchains -m physdev --physdev-out tap110i0 --physdev-is-bridged -j tap110i0-IN -A tapchains -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tap110i0-OUT -A tapchains -m physdev --physdev-out tap115i0 --physdev-is-bridged -j tap115i0-IN -A tapchains -m physdev --physdev-in tap115i0 --physdev-is-bridged -j tap115i0-OUT -A tapchains -J ACCEPT This is to test rules from sources tap and all targets tap rules, and do the accept when both have matched ----- Mail original ----- De: "Alexandre DERUMIER" <aderum...@odiso.com> À: "Dietmar Maurer" <diet...@proxmox.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Jeudi 23 Janvier 2014 08:39:50 Objet: Re: [pve-devel] RFC : iptables implementation >>But the other direction does not work (HOST to VM). >>Maybe no big problem unless the user assigns IP addresses to multiple >>bridges. I'll do test today. Because I known openstack can use dhcpd from host, with different bridges + ip, and they have dhcp inbound rules for the tap interfaces. I'll try to make a sample of rules for internet->host host->internet host->tap tap->host tap->tap ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Jeudi 23 Janvier 2014 07:11:48 Objet: RE: [pve-devel] RFC : iptables implementation > They also add an -input rules for outgoing packet from tap. (I think this for > from > tap to host) > > > -A INPUT -j proxmoxfw-chain-INPUT > -A FORWARD -m physdev --physdev-out tap100i0 --physdev-is-bridged -j > proxmoxfw-chain > -A FORWARD -m physdev --physdev-in tap100i0 --physdev-is-bridged -j > proxmoxfw-chain > > >> -A proxmoxfw-chain-INPUT -m physdev --physdev-in tap110i0 --physdev-is- > bridged -j tap110i0-OUT So we can filter from VM to HOST correctly - that conforms to the docs. But the other direction does not work (HOST to VM). Maybe no big problem unless the user assigns IP addresses to multiple bridges. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
