> so, in the case of any tap-in chain don't have matched. (so it don't go in
> group-in too, and mark is not overwrited)
Ah, I see.
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
.proxmox.com
Envoyé: Vendredi 21 Mars 2014 08:09:43
Objet: RE: [pve-devel] [PATCH] add ips feature v6
> group-in rules now use also mark
This will overwrite the mark set by the -OUT chain, so this breaks the basic
flow?
___
pve-devel mailing li
riginal -
De: "Dietmar Maurer"
À: "Alexandre Derumier" , pve-devel@pve.proxmox.com
Envoyé: Vendredi 21 Mars 2014 07:13:52
Objet: RE: [pve-devel] [PATCH] add ips feature v6
> this create a new chain PVEFW-Accept (not used anymore, but could be use
> for optimisation
> group-in rules now use also mark
This will overwrite the mark set by the -OUT chain, so this breaks the basic
flow?
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> this create a new chain PVEFW-Accept (not used anymore, but could be use
> for optimisation for ESTABLISHED connection)
Please can you remove it. It is not used, so it does not really belong to this
commit.
It is very hard to find such dead code later.
___
This add ips (like suricata) support through nfqueues.
The main idea is to replace -j ACCEPT with -J NFQUEUE , to pass packets to ips
it's using --queue-bypass (only available in 3.10 kernel), so it's suricata
daemon is down,
packets are not dropped.
tap-out chain,
-
we goto PVEFW-S
