[pve-devel] pvefw security group question
Alexandre DERUMIER
aderumier at odiso.com
Wed Feb 19 06:22:33 CET 2014
>>-A vmbr1-OUT -m physdev --physdev-in tap123i0 --physdev-is-bridged -j tap123i0-OUT
>>-A tap123i0-OUT -j GROUP-security1-OUT
>>-A GROUP-security1-OUT -p icmp -J MARK --set-mark 1
>>
>>-A tap123i0-OUT -m mark --mark 0x1 -j vmbr1-IN
I have thinked about it, it's a little bit more complex,
we need to check the mark after each mark, to be sur to exit the chain, as if we have a DROP rule after,it'll not work
Also we need to reset the mark in the IN chain, because group rules use same mark
-A vmbr1-OUT -m physdev --physdev-in tap123i0 --physdev-is-bridged -j tap123i0-OUT
-A tap123i0-OUT -j GROUP-security1
-A GROUP-security1 -p icmp -J MARK --set-mark 1
-A GROUP-security1 -m mark --mark 0x1 -j RETURN
-A GROUP-security1 -p icmp -J DROP
-A tap123i0-OUT -m mark --mark 0x1 -j vmbr1-IN
-A tap123i0-OUT -j GROUP-security2
-A GROUP-security2 -p ssh -J MARK --set-mark 1
-A GROUP-security2 -m mark --mark 0x1 -j RETURN
-A GROUP-security2 -p ssh -J DROP
-A tap123i0-OUT -m mark --mark 0x1 -j vmbr1-IN
-A vmbr1-IN -m mark --mark 0x0
-A vmbr1-IN -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tap110i0-OUT
-A tap110i0-IN -j GROUP-security3
-A GROUP-security3 -p icmp -J MARK --set-mark 1
-A GROUP-security3 -m mark --mark 0x1 -j RETURN
-A GROUP-security3 -p icmp -J DROP
-A tap110i0-IN -m mark --mark 0x1 -j vmbr1-IN
-A tap110i0-IN -j GROUP-security4
-A GROUP-security4 -p ssh -J MARK --set-mark 1
-A GROUP-security4 -m mark --mark 0x1 -j RETURN
-A GROUP-security4 -p ssh -J DROP
-A tap110i0-IN -m mark --mark 0x1 -j vmbr1-IN
I don't known, but maybe it's a little bit too complex ? and add some overhead,because we need to check mark after each rule.
Note that I don't have tested it.
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 18:42:03
Objet: Re: [pve-devel] pvefw security group question
>>so it's seem possible to use it in forward.
Maybe somethink this can help :
-A vmbr1-OUT -m physdev --physdev-in tap123i0 --physdev-is-bridged -j tap123i0-OUT
-A tap123i0-OUT -j GROUP-security1-OUT
-A GROUP-security1-OUT -p icmp -J MARK --set-mark 1
-A tap123i0-OUT -m mark --mark 0x1 -j vmbr1-IN
?
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 18:30:00
Objet: Re: [pve-devel] pvefw security group question
just found this
http://andys.org.uk/bits/2010/01/27/iptables-fun-with-mark/
so it's seem possible to use it in forward.
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 18:26:45
Objet: Re: [pve-devel] pvefw security group question
>>That would be very strange, because it only set an integer value in the packet.
>>I think that is available in all tables?
Maybe I'm wrong, should be tested :)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 18 Février 2014 18:06:21
Objet: RE: pvefw security group question
> >>to mark packets which should be ACCEPTED? Does that help?
>
> AFAIK, MARK can only be used in mangle table, not in filter table
That would be very strange, because it only set an integer value in the packet.
I think that is available in all tables?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list