>> Why? There is no need to do the lookup if '-i venet0' fails. >> >>Or do you think kernel/netfilter will do this lookup unconditionally/always
I'm not sure but, I think it's doing both test. (-i vnet0 && -m set --match-set PVEFW-venet0-ipset src). But I'm not iptables expert, maybe they have already optimized this ;) ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Jeudi 15 Mai 2014 06:40:20 Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces > > a small difference: > > > > 1) > > -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0-ipset src > > -j PVEFW-VENET-OUT > > > > all unfirewalled packets (fwpr+->vmbr+) for example, will lookup > > inside the ipset PVEFW-venet0-ipset > > > Why? There is no need to do the lookup if '-i venet0' fails. Or do you think kernel/netfilter will do this lookup unconditionally/always? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
