>>OK, you are right! Note that we can improve rule add -i fwbr+
-- -A PVEFW-FORWARD -m physdev --physdev-in link+ ++ -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in link+ because we have also packets from link->vmbr and vmbr->link coming to iptables (that's also why I have sent a patch to bypass firewall rules for non firewalled interfaces) ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Mardi 13 Mai 2014 10:16:00 Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces > >> -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-is-bridged -- > physdev-out tap+ -j PVEFW-FWBR-IN > >> -A PVEFW-FORWARD -I fwbr+ -m physdev --physdev-is-bridged > >> --physdev-in tap+ -j PVEFW-FWBR-OUT > >> > >>? > > Yes, but for veth interfaces ? (extra rules, and veth can be random I think > ?) OK, you are right! _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
