Re: [pve-devel] [PATCH] add ips feature v5

Alexandre DERUMIER Wed, 19 Mar 2014 11:45:33 -0700

>>I do not understand this. In tap-out we simply set the mark (we do not jump 
>>to ACCEPT there), 
>>so why is that a problem?


Not for conntrack

-N tapXXXi0-OUT
-A tapXXXi0-OUT -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A tapXXXi0-OUT -p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT-MARK
-A tapXXXi0-OUT -p tcp -j PVEFW-tcpflags
-A tapXXXi0-OUT -m conntrack --ctstate INVALID -j DROP
-A tapXXXi0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT   >> HERE






----- Mail original ----- 

De: "Dietmar Maurer" <diet...@proxmox.com> 
À: "Alexandre DERUMIER" <aderum...@odiso.com> 
Cc: pve-devel@pve.proxmox.com 
Envoyé: Mercredi 19 Mars 2014 19:34:31 
Objet: RE: [pve-devel] [PATCH] add ips feature v5 

> in this case: 
> 
> tap1-out : ACCEPT (ips off) -----> tap2-in : ACCEPT (ips on) 
> 
> 
> We don't want always NFQUEUE in tap1-out, because ips is off, but we want 
> NFQUEUE if the destination have ips on. 

I do not understand this. In tap-out we simply set the mark (we do not jump to 
ACCEPT there), 
so why is that a problem? 
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH] add ips feature v5

Reply via email to