[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Thu Jan 23 09:20:55 CET 2014 

By the way, I understand now why they are doing this:

-A proxmoxfw-FORWARD -m physdev --physdev-out tap110i0 --physdev-is-bridged -j tapchains
-A proxmoxfw-FORWARD -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tapchains
-A proxmoxfw-FORWARD -m physdev --physdev-out tap115i0 --physdev-is-bridged -j tapchains
-A proxmoxfw-FORWARD -m physdev --physdev-in tap115i0 --physdev-is-bridged -j tapchains


-A tapchains -m physdev --physdev-out tap110i0 --physdev-is-bridged -j tap110i0-IN
-A tapchains -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tap110i0-OUT
-A tapchains -m physdev --physdev-out tap115i0 --physdev-is-bridged -j tap115i0-IN
-A tapchains -m physdev --physdev-in tap115i0 --physdev-is-bridged -j tap115i0-OUT
-A tapchains -J ACCEPT



This is to test rules from sources tap and all targets tap rules, and do the accept when both have matched



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Jeudi 23 Janvier 2014 08:39:50 
Objet: Re: [pve-devel] RFC : iptables implementation 

>>But the other direction does not work (HOST to VM). 

>>Maybe no big problem unless the user assigns IP addresses to multiple bridges. 

I'll do test today. Because I known openstack can use dhcpd from host, with different bridges + ip, 
and they have dhcp inbound rules for the tap interfaces. 

I'll try to make a sample of rules for 

internet->host 
host->internet 
host->tap 
tap->host 
tap->tap 



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Jeudi 23 Janvier 2014 07:11:48 
Objet: RE: [pve-devel] RFC : iptables implementation 

> They also add an -input rules for outgoing packet from tap. (I think this for from 
> tap to host) 
> 
> 
> -A INPUT -j proxmoxfw-chain-INPUT 
> -A FORWARD -m physdev --physdev-out tap100i0 --physdev-is-bridged -j 
> proxmoxfw-chain 
> -A FORWARD -m physdev --physdev-in tap100i0 --physdev-is-bridged -j 
> proxmoxfw-chain 
> 
> >> -A proxmoxfw-chain-INPUT -m physdev --physdev-in tap110i0 --physdev-is- 
> bridged -j tap110i0-OUT 

So we can filter from VM to HOST correctly - that conforms to the docs. 

But the other direction does not work (HOST to VM). 

Maybe no big problem unless the user assigns IP addresses to multiple bridges. 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list