>>But I guess that does not work due to physdev match limitation :-/
oh, ok.
maybe, to bypass firewall, can we simply move first rules from PVE-FORWARD to
PVEFW-FWBR-IN|OUT,PVEFW-VENET-IN|OUT ?
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j
PVEFW-VENET-OUT >>ipset to match only firewall vnet0
-A PVEFW-VENET-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-VENET-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j
PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FWBR-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FWBR-IN -m set --match-set PVEFW-blacklist src -j DROP
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j
PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FWBR-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-venet0 dst -j
PVEFW-VENET-IN
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-VENET-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m set --match-set PVEFW-blacklist src -j DROP
so,only 4 lookup for non firewalled interfaces.
----- Mail original -----
De: "Dietmar Maurer" <diet...@proxmox.com>
À: "Dietmar Maurer" <diet...@proxmox.com>, "Alexandre DERUMIER"
<aderum...@odiso.com>
Cc: pve-devel@pve.proxmox.com
Envoyé: Mardi 13 Mai 2014 19:15:02
Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
> > so, yes, bad idea ;)
>
> So what packages do you want to block exactly?
>
> -A PVEFW-FORWARD -o vmbr+ -m physdev --physdev-is-bridged -j RETURN
But I guess that does not work due to physdev match limitation :-/
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
