[pve-devel] Contribution to pve

Dietmar Maurer dietmar at proxmox.com
Thu Apr 19 07:51:25 CEST 2012


I would like to have filter rules per network interface, and want to filter without knowing
the IP address. AFAICS that is not possible with iptables on bridges, so we are looking
for another solution.

- Dietmar

> -----Original Message-----
> From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel-
> bounces at pve.proxmox.com] On Behalf Of Michael Rasmussen
> Sent: Donnerstag, 19. April 2012 00:03
> To: pve-devel at pve.proxmox.com
> Subject: [pve-devel] Contribution to pve
> 
> Hi all,
> 
> I guess many users are in the same situation as me - only one or a few public
> IPs, which means you are forced to use NAT'ing between the public IP(s) and
> a number of virtual hosts running behind a venet interface. If you further
> would like these virtual host on another vlan than the bridge interface
> behind the venet some sort of pre- and post routing are required.
> 
> To make live easy for my self I have made a small Perl package and a perl
> interface to this package which does all required Iptables stuff.
> To cut the details the package provides a few utility functions (list current
> rules, clear current rules etc) and the two important
> functions:
> NAT: Create an outgoing NAT rule from venetN to vmbrN. Eg. venet0 is post
> routed over vmbr0 using SNAT --to-source vmbr0 IP
> FORWARD: Create an incoming NAT rule from vmbrN to venetN. Eg. port x on
> vmbr0 is routed to venet0 port y using DNAT --to-destination venet0 IP.
> 
> Features missing:
> 1) Only handles tcp at the moment, be able to handle udp would be nice.
> 2) Clearing rules means all rules. It would be nice to be able to clear all rules
> on a specific venet IP or a specific vmbr interface.
> 3) Web integration would be nice. For this to happen help would be needed.
> 
> If you find the above interesting I would like to contributed my code to the
> project. Missing feature 1 and 2 will be made in a short while.
> Feature 3 will take time and help to be made.
> 
> --
> Hilsen/Regards
> Michael Rasmussen
> 
> Get my public GnuPG keys:
> michael <at> rasmussen <dot> cc
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
> mir <at> datanom <dot> net
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
> mir <at> miras <dot> org
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
> --------------------------------------------------------------




More information about the pve-devel mailing list