[pve-devel] RFC : iptables implementation
Dietmar Maurer
dietmar at proxmox.com
Wed Jan 22 07:10:39 CET 2014
> >>How would you present that to the user (how would you design a GUI for
> that)?
> I see 2 parts:
>
> 1 firewall tab on the vm
> in this tab, we can associate security groups for incoming rules and outgoing
> rules by network interface
>
> [INCOMING RULES]
> net0 security1
> net0 security2
>
> [OUTGOING RULES]
> net1 security3
> .....
OK. But maybe we can allow normal rules also? And
use the existing format (pve-firewall/example/100.fw):
------------------
[GROUPS]
security1
security2
[IN]
SSH(ACCEPT) net0 192.168.2.192 -
[OUT]
DNS(ACCEPT) net0
------------------
> maybe some special checkbox to enable anti-spoofing rule
>
>
> 1 new tab/form to manage rules/security groups.
> I would like to be able to use sames rules on differents vm, so I don't known
> where to put this form ?
> In the datacenter ?
yes
> I think this rules should be shared inside a pool. (PVEPool permissions to
> manage theses rules ?)
> What do you think ?
We use an extra file to store Security Grougs: /etc/pve/firewall/groups.fw
----------groups.fw-example-----------
[IN:<groupname>:<pool>]
SSH(ACCEPT) net0 192.168.2.192 -
[OUT:<groupname>:<pool>]
...
--------------------
So we can store 'global' groups (no pool specified) an pool related groups.
I am sure we find a way to handle permissions for that.
> in this tab, we can edit rules with
>
> source : ip / iprange / mac (or vmid-netX, and we translate it to macaddress
> later) / other security group
> destination : ip / iprange / mac (or vmid-netX, and we translate it to macaddress
> later) / other security group
> source port : port, portlist(1,2,3) , port range
> destination port : portnum, portlist(1,2,3) / port range / port from /etc/services
> protocol : tcp/udp/...
> action : ACCEPT/DROP
>
> Maybe add some "macros/wizard", for procotol like dhcp : -p udp --dport 67:68
> --sport 67:68 or icmp (-p icmp --icmp-type 0, -p icmp --icmp-type 8)
I think this should be exactly the same as the firewall tab on the VM.
You just edit the rules for a 'security group' instead of VM specific rules.
> >>What configuration files do we need for that (syntax)?
>
> 1 config file by vm (we can reuse /etc/pve/firewall/VMID.fw
>
> [IN]
> net0 security1
> net0 security2
> [OUT]
> net1 security3
>
> we can use inotify to regenerate interface chains on each proxmox host
>
>
> 1 config file for security group. (or 1 file by pool? don't known)
One file is enough (see above /etc/pve/firewall/groups.fw)
> [SECURITY1]
> src=xxx dst=xxx sport=xxx dport=xxx proto=xxx action=xxx
>
> [SECURITY]
> src=xxx dst=xxx sport=xxx dport=xxx proto=xxx action=xxx
>
>
>
> >>And can we easily implement that with OVS (stateless)?
> Really, I really don't known for the moment. But it could be possible to
> implemented it later,as config files are simple.
>
> Another possibility, is to do like openstack with "hybrid mode".
> You have a central ovs (manage vlan, netflow,...), then 1 bridge for each tap
> interface plugged to ovs.
> Like this it's possible to manage iptable rules on theses bridge.
I am not sure if you are aware of all iptables restrictions for bridge ports (physdev match).
For a short intro read: http://www.shorewall.net/bridge-Shorewall-perl.html
But I have no idea if you hit that problem at all.
More information about the pve-devel
mailing list