We need to accept traffic at the end of bridge rules for outgoing packets from tap->ethX,
as we don't do ACCEPT in tap-out rules.
IN=vmbr0 OUT=vmbr0 PHYSIN=tap110i0 PHYSOUT=eth0
-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW
-A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
-A vmbr0-FW -j ACCEPT
-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
ruleset_create_chain($ruleset, "$bridge-IN");
ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN");
+ ruleset_addrule($ruleset, "$bridge-FW", "-j ACCEPT");
}
}