[pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
Alexandre DERUMIER
aderumier at odiso.com
Thu Feb 27 09:46:47 CET 2014
> -A vmbr0-FW -m mark --mark 1 -j ACCEPT
>>This is what we have currently. But this blocks traffic to 'unmanaged' tap devices (VMs with no firewall)
Yes, indeed, because we don't mark unmanaged tap, so it can't go to the accept
>>So we would have:
>>
>>-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
>>-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
>>-A vmbr0-FW -m mark --mark 1 -j ACCEPT
>>-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
>>
>>But what exactly is the differenc to the original solution?
>>
>>-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
>>-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
>>-A vmbr0-FW -j ACCEPT
>>
>>Can you see/explain the difference?
>>-A vmbr0-FW -m mark --mark 1 -j ACCEPT
ACCEPT for managed tap rules
>>-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
ACCEPT for other interfaces (unmanaged tap or ethx), but this is only for outgoing packets for ethX (bridge->eth) or incoming packets for unmanaged tap (bridge->tap)
I don't remember, Why can't we simply use
-A vmbr0-FW -j ACCEPT ? (instead -A vmbr0-FW -m mark --mark 1 -j ACCEPT )
for managed tap, if we don't have a DROP in tapchains, we should accept when returning in vmbr0-FW
for unmanaged tap or ethX, we should ACCEPT in any case at the end of vmbr0-FW too.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Jeudi 27 Février 2014 08:53:50
Objet: RE: [pve-devel] [PATCH 2/2] bridge rules : -j ACCEPT for physical interfaces
I am still confused about those bridge chains:
> > -A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j
> > vmbr0-OUT -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-
> bridged
> > -j vmbr0-IN -A vmbr0-FW -m physdev --physdev-is-out
> > --physdev-is-bridged -j ACCEPT (maybe this is better ?)
>
> After my change, I guess we need to add such ruke additionally:
>
> -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
> -A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
> -A vmbr0-FW -m mark --mark 1 -j ACCEPT
This is what we have currently. But this blocks traffic to 'unmanaged' tap devices (VMs with no firewall)
> -A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
Seems to solve that.
So we would have:
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
-A vmbr0-FW -m mark --mark 1 -j ACCEPT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j ACCEPT
But what exactly is the differenc to the original solution?
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-in -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-bridged --physdev-is-out -j vmbr0-IN
-A vmbr0-FW -j ACCEPT
Can you see/explain the difference?
More information about the pve-devel
mailing list