> # fixme: this is an optimization? if so, we should also drop INVALID > packages? > - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEPT"); > - > + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack > + --ctstate RELATED,ESTABLISHED -j PVEFW-Accept");
Confused now. You just explained that this does not work in the previous mail? >>If we ACCEPT at begin of forward, we bypass ip. >>and we jump to NFQUEUE at begin of forward, we are going to ips for all vms >>(I want to enable it by vm) _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
