[pve-devel] RFC : iptables implementation
Dietmar Maurer
dietmar at proxmox.com
Wed Jan 22 19:30:23 CET 2014
I am also concerned about this:
--quote-shorewall-docs--
As described above, Shorewall bridge support requires the physdev match feature of Netfilter/iptables. Physdev match allows rules to be triggered based on the bridge port that a packet arrived on and/or the bridge port that a packet will be sent over. The latter has proved to be problematic because it requires that the evaluation of rules be deferred until the destination bridge port is known. This deferral has the unfortunate side effect that it makes IPSEC Netfilter filtration incompatible with bridges. To work around this problem, in kernel version 2.6.20 the Netfilter developers decided to remove the deferred processing in two cases:
When a packet being sent through a bridge entered the firewall on another interface and was being forwarded to the bridge.
When a packet originating on the firewall itself is being sent through a bridge.
Notice that physdev match was only weakened with respect to the destination bridge port -- it remains fully functional with respect to the source bridge port.
--end-quote--
I above is right, things will not work as expected.
> -----Original Message-----
> From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel-
> bounces at pve.proxmox.com] On Behalf Of Dietmar Maurer
> Sent: Mittwoch, 22. Jänner 2014 19:14
> To: Alexandre DERUMIER
> Cc: pve-devel
> Subject: Re: [pve-devel] RFC : iptables implementation
>
> Well, we also need to have rules for traffic unrelated to VMs., i.e from and to
> the host.
>
> > > don't known if it's better than
> >
> > >>Above would only handle traffic originated from a VM and skip
> > >>traffic from
> > outside (eth0)?
> >
> > maybe. I think we shouldn't filter from ethX, because outside can be
> > also other hosts with others vm.
> > (Or maybe users want to add some custom rules on ethX to protect the
> > host itself, like this it doesn't conflict with openstack rules)
> >
> >
> > also,maybe they are doing like this to add later some custom rules
> > before the ACCEPT.
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list