>>Yes, we also want to filter container to container traffic. Previously, we had a rule
- # always allow traffic from containers? - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN"); so, it wasn't work at all before ? I see this iptables traffic: FORWARD: IN=venet0 OUT=venet0 SRC=10.3.94.204 DST=10.3.94.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25368 PROTO=ICMP TYPE=0 CODE=0 ID=1751 SEQ=1 Maybe with some magic routing rule, is it possible to split to have to lines. I'll check that today. >>We should really have some regression tests, but I do not know a tool to >>simulate >>iptables? We can write a simple simulator ourselves, but that is much work >>:-/ Don't known too. I'll ask to my coworkers today. ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 12 Mai 2014 06:16:37 Objet: RE: venet firewall broken? > container to container ? > > venet0->venet0 ? > Yes, we also want to filter container to container traffic. > Damn, I don't have tested this case. We should really have some regression tests, but I do not know a tool to simulate iptables? We can write a simple simulator ourselves, but that is much work :-/ _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
