maybe could we add -A vmbrX-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
at the beginning of vmbrX-OUT ? (and add an optimisation if no ips is enabled for the vmbr, do an ACCEPT) ----- Mail original ----- De: "Alexandre DERUMIER" <aderum...@odiso.com> À: "Dietmar Maurer" <diet...@proxmox.com> Cc: pve-devel@pve.proxmox.com Envoyé: Jeudi 20 Mars 2014 07:43:48 Objet: Re: [pve-devel] [PATCH] add ips feature v5 >>Maybe we can/should replace that with -g PVEFW-SET-ACCEPT-MARK? yes, it should work. But isn't it slower (more taps(in|out) to check), than simply use -m conntrack --ctstate RELATED,ESTABLISHED -j PVE-Accept at the begin of FORWARD ? ? (I think I should do some benchmarks, maybe the difference is not so big with modern processors) ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Jeudi 20 Mars 2014 06:55:27 Objet: RE: [pve-devel] [PATCH] add ips feature v5 > Not for conntrack > > -N tapXXXi0-OUT > -A tapXXXi0-OUT -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs -A > tapXXXi0-OUT -p udp -m udp --sport 68 --dport 67 -j PVEFW-SET-ACCEPT- > MARK -A tapXXXi0-OUT -p tcp -j PVEFW-tcpflags -A tapXXXi0-OUT -m > conntrack --ctstate INVALID -j DROP > -A tapXXXi0-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> > HERE > Maybe we can/should replace that with -g PVEFW-SET-ACCEPT-MARK? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
