> -----Original Message----- > From: Alexandre DERUMIER [mailto:aderum...@odiso.com] > Sent: Montag, 17. März 2014 08:14 > To: Dietmar Maurer > Cc: pve-devel@pve.proxmox.com > Subject: Re: [pve-devel] [PATCH] add ips feature > > Well, we jump to NFQUEUE in tap chains. > > If we ACCEPT at begin of forward, we bypass ip. > and we jump to NFQUEUE at begin of forward, we are going to ips for all vms > (I want to enable it by vm)
Ah, OK. > I just notice a bug, if sourcevm out (ips:0) -> sourcevm in (ips:1) > > it'll do an accept in tap-out, and bypass the ips. > > I'll rework my patch. > > (something like > PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j IPSCHAIN > > IPSCHAIN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j > NFQUEUE IPSCHAIN -m physdev --physdev-out tapxxxi0 --physdev-is- > bridged -j NFQUEUE IPSCHAIN -j ACCEPT > ) > > should be faster too OK _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
