Well, we jump to NFQUEUE in tap chains.
If we ACCEPT at begin of forward, we bypass ip.
and we jump to NFQUEUE at begin of forward, we are going to ips for all vms (I
want to enable it by vm)
I just notice a bug, if sourcevm out (ips:0) -> sourcevm in (ips:1)
it'll do an accept in tap-out, and bypass the ips.
I'll rework my patch.
(something like
PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j IPSCHAIN
IPSCHAIN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j NFQUEUE
IPSCHAIN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j NFQUEUE
IPSCHAIN -j ACCEPT
)
should be faster too
----- Mail original -----
De: "Dietmar Maurer" <diet...@proxmox.com>
À: "Alexandre Derumier" <aderum...@odiso.com>, pve-devel@pve.proxmox.com
Envoyé: Lundi 17 Mars 2014 07:10:20
Objet: RE: [pve-devel] [PATCH] add ips feature
> # fixme: this is an optimization? if so, we should also drop INVALID
> packages?
> - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT");
> -
> + if(!$ips_enable){
> + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --
> ctstate RELATED,ESTABLISHED -j ACCEPT");
> + }
What happens here if ips is enabled? Don't we need to jump to NFQUEUE?
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
