[pve-devel] pvefw security group question
Alexandre DERUMIER
aderumier at odiso.com
Wed Feb 19 10:44:33 CET 2014
Ok, I found it, something is wrong in tap-IN, it should -j ACCEPT instead -g vmbrX-IN
-F tap110i0-OUT
-A tap110i0-OUT -m state --state INVALID -j DROP
-A tap110i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap110i0-OUT -m mac ! --mac-source 1E:0B:85:27:8D:65 -j DROP
-A tap110i0-OUT -p tcp --dport 80 -j vmbr1-IN
-A tap110i0-OUT -j GROUP-security1-OUT
-A tap110i0-OUT -m mark --mark 1 -g vmbr1-IN
-A tap110i0-OUT -j LOG --log-prefix "tap110i0-OUT-dropped: " --log-level 4
-A tap110i0-OUT -j DROP
-A tap110i0-OUT -m comment --comment "PVESIG:HerXUzZtoVII2KYJLJFdioAB2P4"
-F tap110i0-IN
-A tap110i0-IN -m state --state INVALID -j DROP
-A tap110i0-IN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap110i0-IN -p icmp -j ACCEPT
-A tap110i0-IN -j GROUP-security1-IN
-A tap110i0-IN -m mark --mark 1 -g vmbr1-IN >> should be -j ACCEPT
-A tap110i0-IN -j LOG --log-prefix "tap110i0-IN-dropped: " --log-level 4
-A tap110i0-IN -j DROP
-A tap110i0-IN -m comment --comment "PVESIG:4Flp02aOZO/4fHWtkorB61XcVWo"
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 19 Février 2014 10:34:47
Objet: Re: [pve-devel] pvefw security group question
>>About your patches, iptables-restore hanging here for me:
>>
>>-A tap110i0-IN -m mark --mark 1 -g vmbr1-IN
>>
>>any idea ? (settings mark in other chains works fine)
Oh, I think it's doing a loop, it should go to vmbr1-OUT
-A tap110i0-IN -m mark --mark 1 -g vmbr1-OUT
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 19 Février 2014 10:21:18
Objet: Re: [pve-devel] pvefw security group question
>>No, this is a miss-understanding.
>>
>>We need separate GROUP-IN and GROUP-OUT rules.
Ok :)
>>My question was if we should allow to apply them independently.
>>Currently, a VM can only use GROUP-IN for example.
>>
>>got it?
No, sorry :(
with my patches, we could already apply GROUP-IN in TAP-IN, and GROUP-OUT in TAP-OUT
only difference between out/in group was, -j PVEFW-BRIDGE-IN or -j ACCEPT.
(Not that with mark, it's improved, because we can jump directly to -j VMBRX-IN)
About your patches, iptables-restore hanging here for me:
-A tap110i0-IN -m mark --mark 1 -g vmbr1-IN
any idea ? (settings mark in other chains works fine)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 19 Février 2014 09:51:15
Objet: RE: [pve-devel] pvefw security group question
> (But finally, you create GROUP-IN and GROUP-OUT rules ? I thinked you
> wanted common group rules)
No, this is a miss-understanding.
We need separate GROUP-IN and GROUP-OUT rules.
My question was if we should allow to apply them independently.
Currently, a VM can only use GROUP-IN for example.
got it?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list