[pve-devel] pvefw security group question

Alexandre DERUMIER aderumier at odiso.com
Wed Feb 19 10:44:33 CET 2014


Ok, I found it, something is wrong in tap-IN, it should -j ACCEPT instead -g vmbrX-IN



-F tap110i0-OUT
-A tap110i0-OUT -m state --state INVALID -j DROP
-A tap110i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap110i0-OUT -m mac ! --mac-source 1E:0B:85:27:8D:65 -j DROP
-A tap110i0-OUT  -p tcp --dport 80 -j vmbr1-IN
-A tap110i0-OUT  -j GROUP-security1-OUT
-A tap110i0-OUT -m mark --mark 1 -g vmbr1-IN
-A tap110i0-OUT -j LOG --log-prefix "tap110i0-OUT-dropped: " --log-level 4
-A tap110i0-OUT -j DROP
-A tap110i0-OUT -m comment --comment "PVESIG:HerXUzZtoVII2KYJLJFdioAB2P4"
-F tap110i0-IN
-A tap110i0-IN -m state --state INVALID -j DROP
-A tap110i0-IN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap110i0-IN  -p icmp -j ACCEPT
-A tap110i0-IN  -j GROUP-security1-IN

-A tap110i0-IN -m mark --mark 1 -g vmbr1-IN   >> should be -j ACCEPT

-A tap110i0-IN -j LOG --log-prefix "tap110i0-IN-dropped: " --log-level 4
-A tap110i0-IN -j DROP
-A tap110i0-IN -m comment --comment "PVESIG:4Flp02aOZO/4fHWtkorB61XcVWo"



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 19 Février 2014 10:34:47 
Objet: Re: [pve-devel] pvefw security group question 

>>About your patches, iptables-restore hanging here for me: 
>> 
>>-A tap110i0-IN -m mark --mark 1 -g vmbr1-IN 
>> 
>>any idea ? (settings mark in other chains works fine) 

Oh, I think it's doing a loop, it should go to vmbr1-OUT 

-A tap110i0-IN -m mark --mark 1 -g vmbr1-OUT 



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 19 Février 2014 10:21:18 
Objet: Re: [pve-devel] pvefw security group question 

>>No, this is a miss-understanding. 
>> 
>>We need separate GROUP-IN and GROUP-OUT rules. 

Ok :) 

>>My question was if we should allow to apply them independently. 
>>Currently, a VM can only use GROUP-IN for example. 
>> 
>>got it? 

No, sorry :( 

with my patches, we could already apply GROUP-IN in TAP-IN, and GROUP-OUT in TAP-OUT 

only difference between out/in group was, -j PVEFW-BRIDGE-IN or -j ACCEPT. 

(Not that with mark, it's improved, because we can jump directly to -j VMBRX-IN) 



About your patches, iptables-restore hanging here for me: 

-A tap110i0-IN -m mark --mark 1 -g vmbr1-IN 

any idea ? (settings mark in other chains works fine) 
----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 19 Février 2014 09:51:15 
Objet: RE: [pve-devel] pvefw security group question 

> (But finally, you create GROUP-IN and GROUP-OUT rules ? I thinked you 
> wanted common group rules) 

No, this is a miss-understanding. 

We need separate GROUP-IN and GROUP-OUT rules. 

My question was if we should allow to apply them independently. 
Currently, a VM can only use GROUP-IN for example. 

got it? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list