[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Fri Jul 4 10:55:58 CEST 2014


Am 19.06.2014 07:50, schrieb Alexandre DERUMIER:
>>> But I don't see anywhere in the code where theses rules are generate ? 
> 
> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist.
> 
> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist)
> 
> 
> 
> 
> also, I just found that ipset provide a net,iface hash
>  
> ipset create foo hash:net,iface
> ipset add foo 192.168.0/24,eth0
> ipset add foo 10.1.0.0/16,eth1
> ipset test foo 192.168.0/24,eth0
> 
> 
> maybe can we use it to implement ipfilter at cluster level ?

Main problem is that iptables is only layer3. What about layer2 IP / mac
spoofing?


Stefan

> ----- Mail original ----- 
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
> À: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Jeudi 19 Juin 2014 06:09:15 
> Objet: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Hi, 
> I see in cluster.fw a [rules] section, 
> 
> But I don't see anywhere in the code where theses rules are generate ? 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 



More information about the pve-devel mailing list