[pve-devel] firewall : cluster.fw [rules] section ?
Alexandre DERUMIER
aderumier at odiso.com
Fri Jul 4 11:03:17 CEST 2014
>>Main problem is that iptables is only layer3. What about layer2 IP / mac
>>spoofing?
yes, mac filtering need to be done like currently, in tapchain.
(layer2 IP ????)
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Vendredi 4 Juillet 2014 10:55:58
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
Am 19.06.2014 07:50, schrieb Alexandre DERUMIER:
>>> But I don't see anywhere in the code where theses rules are generate ?
>
> I think we could create a PVEFW-cluster-IN|OUT chain, and put it at same level that blacklist.
>
> (and maybe make blacklist ipset more generic, if we can create a rule with blacklist)
>
>
>
>
> also, I just found that ipset provide a net,iface hash
>
> ipset create foo hash:net,iface
> ipset add foo 192.168.0/24,eth0
> ipset add foo 10.1.0.0/16,eth1
> ipset test foo 192.168.0/24,eth0
>
>
> maybe can we use it to implement ipfilter at cluster level ?
Main problem is that iptables is only layer3. What about layer2 IP / mac
spoofing?
Stefan
> ----- Mail original -----
>
> De: "Alexandre DERUMIER" <aderumier at odiso.com>
> À: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Jeudi 19 Juin 2014 06:09:15
> Objet: [pve-devel] firewall : cluster.fw [rules] section ?
>
> Hi,
> I see in cluster.fw a [rules] section,
>
> But I don't see anywhere in the code where theses rules are generate ?
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list