>>We need physdev match to filter traffic from VMs? sorry, I wanted to say, output interface instead phydev
>>iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE replace by iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -j SNAT --to X.X.X.X (ip of the bridge) how is the netfilter logs, with masquerade with ip on vmbr0 and without veth ? MASQTEST: IN= OUT=??? PHYSIN=tap116i0 PHYSOUT=???? SRC=10.10.10.3 DST=8.8.8.8 I'm a bit lost for now, I'll try to create a testlab tomorrow to see how things works. ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 10 Mars 2014 17:01:55 Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones > >>That behaves quite the same. > > Maybe, without veth ? (using bridge ip directly?). > So we don't need to have physdev match. We need physdev match to filter traffic from VMs? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
