[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Fri Jul 4 15:07:16 CEST 2014


>>This is an ugly hack to show what i mean. 
>>
>>ebtables hack: 
>>http://pastebin.com/raw.php?i=LaLdg7nk 

Ok.

I'll keep the current logic,
generate the rules and push them at the end

"etables --atomic-commit"

seem to works like iptables-save

also, keep the tapchain, something like

-A FORWARD -o tap110i0 -j tap110i0-OUT
  -A tap110i0-OUT -s $macaddr -j ACCEPT   #if all protocol are allowed
  -A tap110i0-OUT -p IPV4 -s $macaddr -j ACCEPT
  -A tap110i0-OUT -p ARP -s $macaddr -j ACCEPT
  -A tap110i0-OUT -j DROP




----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 4 Juillet 2014 14:17:02 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

Am 04.07.2014 13:50, schrieb Stefan Priebe - Profihost AG: 
> Am 04.07.2014 13:45, schrieb Alexandre DERUMIER: 
>>>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even 
>>>> though ip traffic will then never reach the VM he still can tell via arp 
>>>> that this vm is for example the GW. 
>> 
>> Oh, ok, you are right ! 
>> 
>> I'll make a patch for ebtables,it should be easy to implement. 

This is an ugly hack to show what i mean. 

ebtables hack: 
http://pastebin.com/raw.php?i=LaLdg7nk 

Stefan 


More information about the pve-devel mailing list