Re: [pve-devel] venet firewall broken?

Dietmar Maurer Sun, 11 May 2014 22:09:26 -0700

> >>Yes, we also want to filter container to container traffic.
> 
> Previously, we had a rule
> 
> -    # always allow traffic from containers?
> -    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN");
> 
> so, it wasn't work at all before ?


Here is what we produced previously:

PVEFW-FORWARD (JRo5BSic0aO5zPRf9m6h7QUC+BM)
        -A PVEFW-FORWARD -i venet0 -s 192.168.3.104 -j venet0-104-OUT
        -A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-out -j vmbr0-FW
        -A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-in -j vmbr0-FW
        -A PVEFW-FORWARD -o venet0 -d 192.168.3.104 -j venet0-104-IN
        -A PVEFW-FORWARD -i venet0 -j RETURN

So that rule is just to accept traffic to non-firewalled containers.
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] venet firewall broken?

Reply via email to