[pve-devel] pve-firewall : iptables V2
Dietmar Maurer
dietmar at proxmox.com
Fri Feb 14 12:01:58 CET 2014
iptables-restore v1.4.14: no command specified
Error occurred at line: 36
I tested with your example (first patch)
./pvefw enablevmfw -vmid 100
line 36 is the 'COMMIT'
what is wrong with that?
-----------------
*filter
:BRIDGEFW-OUT - [0:0]
:BRIDGEFW-IN - [0:0]
:proxmoxfw-FORWARD - [0:0]
-I FORWARD -j proxmoxfw-FORWARD
-A proxmoxfw-FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A proxmoxfw-FORWARD -m physdev --physdev-is-in --physdev-is-bridged -j BRIDGEFW-OUT
-A proxmoxfw-FORWARD -m physdev --physdev-is-out --physdev-is-bridged -j BRIDGEFW-IN
:proxmoxfw-INPUT - [0:0]
-I INPUT -j proxmoxfw-INPUT
-A INPUT -j ACCEPT
:vmbr0-IN - [0:0]
-A proxmoxfw-FORWARD -i vmbr0 -j DROP
-A BRIDGEFW-IN -j vmbr0-IN
-A vmbr0-IN -j ACCEPT
:vmbr0-OUT - [0:0]
-A proxmoxfw-FORWARD -o vmbr0 -j DROP
-A BRIDGEFW-OUT -j vmbr0-OUT
:tap100i0-IN - [0:0]
-A tap100i0-IN -m state --state INVALID -j DROP
-A tap100i0-IN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap100i0-IN -p tcp --dport 22 -j ACCEPT
-A tap100i0-IN -p icmp -j ACCEPT
-A tap100i0-IN -j LOG --log-prefix "tap100i0-IN-dropped: " --log-level 4
-A tap100i0-IN -j DROP
-I vmbr0-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
:tap100i0-OUT - [0:0]
-A tap100i0-OUT -m state --state INVALID -j DROP
-A tap100i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap100i0-OUT -p icmp -j vmbr0-IN
-A tap100i0-OUT -p tcp --dport 80 -j vmbr0-IN
-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4
-A tap100i0-OUT -j DROP
-I vmbr0-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT
-A proxmoxfw-INPUT -m physdev --physdev-in tap100i0 -j tap100i0-OUT
COMMIT
-------------------
> -----Original Message-----
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com]
> Sent: Freitag, 14. Februar 2014 10:42
> To: Dietmar Maurer
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: [pve-devel] pve-firewall : iptables V2
>
> >>I need to play around with that code first - I need more time to
> >>contribute something useful ;-)
> Ok, sure no problem
>
>
> ----- Mail original -----
>
> De: "Dietmar Maurer" <dietmar at proxmox.com>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Vendredi 14 Février 2014 10:39:20
> Objet: RE: [pve-devel] pve-firewall : iptables V2
>
> > >>We can old and new ruleset, so there is no need to list
> > >>/sys/class/net/vmbrX/brif/tapX
> >
> > can you provide an example ?
>
> I need to play around with that code first - I need more time to contribute
> something useful ;-)
More information about the pve-devel
mailing list