>>We just need to be aware of that. >>I guess normally a user does not assign IPs to several >>bridges, so it is no problem by default.
Hi, I have worked on it this weekend, I'll resend an improved version today. (Taking some ideas from cloudstack, with less rules lookup) ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Vendredi 24 Janvier 2014 09:07:22 Objet: RE: [pve-devel] RFC : iptables implementation > ah ok, I understand. But isn't it blocked by the INPUT rule on host ? > (10.1.0.2- > >10.1.0.1) I'll do test today. > > > If we really want to block host->tap, without known ip in guest, we could > also > only allow known authorized ips in output We just need to be aware of that. I guess normally a user does not assign IPs to several bridges, so it is no problem by default. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
