[pve-devel] [PATCH 2/8] remove bridge chain
Alexandre Derumier
aderumier at odiso.com
Wed Apr 30 10:56:31 CEST 2014
new model
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-out tap+ -j PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap110i0 --physdev-is-bridged -j tap110i0-IN
-A PVEFW-FORWARD -m physdev --physdev-in tap+ -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap110i0 -j tap110i0-OUT
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
src/PVE/Firewall.pm | 40 +++++++++++++++++-----------------------
1 file changed, 17 insertions(+), 23 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 3ea095c..35c3a8e 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1102,7 +1102,7 @@ sub iptables_get_chains {
return 1 if $name =~ m/^venet0-\d+-(:?IN|OUT)$/;
- return 1 if $name =~ m/^vmbr\d+(v\d+)?-(:?FW|IN|OUT|IPS)$/;
+ return 1 if $name =~ m/^fwbr(\d+)i(\d+)-(:?FW|IN|OUT|IPS)$/;
return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
return undef;
@@ -1679,10 +1679,10 @@ sub generate_tap_rules_direction {
# plug the tap chain to bridge chain
if ($direction eq 'IN') {
- ruleset_addrule($ruleset, "$bridge-IN",
- "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain");
+ ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
+ "-m physdev --physdev-out $iface -j $tapchain");
} else {
- ruleset_addrule($ruleset, "$bridge-OUT",
+ ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
"-m physdev --physdev-in $iface -j $tapchain");
}
}
@@ -2673,6 +2673,16 @@ sub compile {
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m set --match-set PVEFW-blacklist src -j DROP");
}
+ if (!ruleset_chain_exist($ruleset, "PVEFW-FWBR-IN")) {
+ ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-out tap+ -j PVEFW-FWBR-IN");
+ }
+
+ if (!ruleset_chain_exist($ruleset, "PVEFW-FWBR-OUT")) {
+ ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
+ ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-in tap+ -j PVEFW-FWBR-OUT");
+ }
+
generate_std_chains($ruleset, $hostfw_options);
my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
@@ -2691,13 +2701,12 @@ sub compile {
my $net = PVE::QemuServer::parse_net($conf->{$netid});
next if !$net;
my $iface = "tap${vmid}i$1";
+
+ next if !$net->{firewall};
my $bridge = $net->{bridge};
next if !$bridge; # fixme: ?
-
- $bridge .= "v$net->{tag}" if $net->{tag};
-
- generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+ $bridge = "fwbr${vmid}i$1";
my $macaddr = $net->{macaddr};
generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
@@ -2731,8 +2740,6 @@ sub compile {
next; # fixme?
}
- generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
-
my $macaddr = $d->{mac};
my $iface = $d->{host_ifname};
generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
@@ -2743,19 +2750,6 @@ sub compile {
}
}
- # fixme: should we really block inter-bridge traffic?
-
- # always allow traffic from containers?
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN");
-
- # disable interbridge routing
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j PVEFW-Drop");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j PVEFW-Drop");
- ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-o vmbr+");
- ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-i vmbr+");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP");
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP");
-
return ($ruleset, $ipset_ruleset);
}
--
1.7.10.4
More information about the pve-devel
mailing list