> > -A PVEFW-FORWARD -i venet0 -j PVEFW-VENET-OUT > > -A PVEFW-VENET-OUT -m set --match-set PVEFW-venet0-ipset src -j > > RETURN -A PVEFW-FORWARD -m physdev --physdev-in fwln+ > > --physdev-is-bridged -j PVEFW-FWBR-IN -A PVEFW-FORWARD -m physdev > > --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT -A > > PVEFW-FORWARD -o venet0 -j PVEFW-VENET-IN > > -A PVEFW-VENET-IN -m set --match-set PVEFW-venet0-ipset dst -j > > RETURN > > > > > > like this, we do lookup in PVEFW-venet0 ipset only for venet0 traffic, > > to known if it's firewalled or not. > > Is that different than this? > > -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0-ipset src -j > PVEFW-VENET-OUT > > If so, why?
I am confused because I though netfilter will not evaluate '--match-set' if '-i venet' does not match. So we will not gain any performance? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
