move nosmurfs, tcpflags and conntrack established outside tap chains
These should be done fast,
conntrack established can be done in PVE-FORWARD now
smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>