I'll work all the day on it, I'm pretty sure it can be solved without revert all the work.
I'll keep you in touch. ----- Mail original ----- De: "Alexandre DERUMIER" <aderum...@odiso.com> À: "Dietmar Maurer" <diet...@proxmox.com> Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 12 Mai 2014 08:12:36 Objet: Re: [pve-devel] venet firewall broken? >>I think so. Maybe it is best to revert the last 10 commits ... So, fwbr bridges are pretty useless in this case ? (I really like the new model with only 1 direction to check, vnet0->vnet0 seem to be the only tricky exception, because the traffic is routed). I wonder if we couldn't use some create of special mark for -A PVEFW-FORWARD -o venet0 -i venet0 -m set --match-set PVEFW-venet0 src,dst (venet0 firewalled->vnet0 firewalled) then if this mark exist, return instead accept ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 12 Mai 2014 07:58:23 Objet: RE: venet firewall broken? > Ok, so I think if we use RETURN (only for venet0-OUT, don't make sense for > tap/veth), > > it should work also with this model > > But I don't known for group rules (do we need to add mark again everwhere > ???) I think so. Maybe it is best to revert the last 10 commits ... _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
