>>But they test everything twice that way? Yes, I don't known why. maybe they want to be sure that tap to tap filtering is done only on known tap interfaces with firewall enable ?
----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Jeudi 23 Janvier 2014 11:01:42 Objet: RE: [pve-devel] RFC : iptables implementation > By the way, I understand now why they are doing this: > > -A proxmoxfw-FORWARD -m physdev --physdev-out tap110i0 --physdev-is- > bridged -j tapchains > -A proxmoxfw-FORWARD -m physdev --physdev-in tap110i0 --physdev-is- > bridged -j tapchains > -A proxmoxfw-FORWARD -m physdev --physdev-out tap115i0 --physdev-is- > bridged -j tapchains > -A proxmoxfw-FORWARD -m physdev --physdev-in tap115i0 --physdev-is- > bridged -j tapchains > > > -A tapchains -m physdev --physdev-out tap110i0 --physdev-is-bridged -j > tap110i0-IN > -A tapchains -m physdev --physdev-in tap110i0 --physdev-is-bridged -j > tap110i0- > OUT > -A tapchains -m physdev --physdev-out tap115i0 --physdev-is-bridged -j > tap115i0-IN > -A tapchains -m physdev --physdev-in tap115i0 --physdev-is-bridged -j > tap115i0- > OUT > -A tapchains -J ACCEPT > > > > This is to test rules from sources tap and all targets tap rules, and do the > accept > when both have matched But they test everything twice that way? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
