> Note that we can improve rule add -i fwbr+
>
> -- -A PVEFW-FORWARD -m physdev --physdev-in link+
>
> ++ -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in link+
>
>
> because we have also packets from link->vmbr and vmbr->link coming to
> iptables (that's also why I have sent a patch to bypass firewall rules for non
> firewalled interfaces)
or we rename the other side of the link to "peer${vmid}i${devid}" ?
Also, I would prefer a common prefix for all firewall related network devices,
for example:
link ==> fwln
peer ==> fwpr
fwbr <==> fwbr (keep that name)
what do you think?
I would prefer longer names, but kernel iface name length is restricted.
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
