> so 4 rules for unfirewalled veth|tap traffic. > for unfirewalled venet0 traffic, we enter PVEFW-VENET-OUT|IN, so I would > like to find a way to bypass it
OK > also, > > I don't known if we want to keep > -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > for non firewalled vms ? no opinion (AFAIK you wanted that). > (do we want to conntrack non firewalled vms ? can improve performance, > but in case of firewall attack (synflood for example), if conntrack if full, > this > will impact non firewalled vms) I guess it is better to do not touch traffic for non firewalled vms. Do you want to provide that patch? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
