[pve-devel] pvefw security group question

Dietmar Maurer dietmar at proxmox.com
Tue Feb 18 16:10:32 CET 2014


> Currently you can apply the security group in both direction
> 
> vmid.fw
> [IN]
> GROUP-security1 net0 - - - - -
> 
> [OUT]
> GROUP-security1 net0 - - - - -
> 
> 
> but in vmid.fw, I only specify the GROUP name.

Yes, but you can also apply it for a single direction (only IN, only OUT)??
 
> But in firewall.pm, I force $group.'-IN' or $group-'OUT.
> to be sure that a wrong group-in is not in tap-out for example.
>
> Note, I have send a small fix yesterday on the mailing, "
> @@ -430,7 +430,7 @@ sub generate_group_rules {
>              # we go the BRIDGEFW-IN because we need to check also other tap
> rules
>              # (and group rules can be set on any bridge, so we can't go to
> VMBRXX-IN)
>              $rule->{action} = 'BRIDGEFW-IN' if $rule->{action} eq 'ACCEPT';
> -            ruleset_generate_rule($rule, $chain, $rule);
> +            ruleset_generate_rule($ruleset, $chain, $rule);
>          }
>      }
>  }
> "
> maybe this is because you can't apply the group rule in both direction ?

OK, applied that.
 
> >>Do you really want that (why)?
> 
> We need to be carefull, because is GROUP-OUT we jump to BRIDGEFW-IN
> instead ACCEPT.
> 
> >>Or can we use an extra section for GROUPS, and always apply both
> directions?
> But we could defined
> [GROUPS]
> securityname1 net0
> 
> and generate GROUP-IN and GROUP-OUT from this rule. (only difference is -
> j ACCEPT or -j BRIDGEFW-IN)

No. I just want to apply GROUP-IN and GROUP-OUT.



More information about the pve-devel mailing list