[pve-devel] firewall : cluster.fw [rules] section ?
Alexandre DERUMIER
aderumier at odiso.com
Fri Jul 4 15:07:16 CEST 2014
>>This is an ugly hack to show what i mean.
>>
>>ebtables hack:
>>http://pastebin.com/raw.php?i=LaLdg7nk
Ok.
I'll keep the current logic,
generate the rules and push them at the end
"etables --atomic-commit"
seem to works like iptables-save
also, keep the tapchain, something like
-A FORWARD -o tap110i0 -j tap110i0-OUT
-A tap110i0-OUT -s $macaddr -j ACCEPT #if all protocol are allowed
-A tap110i0-OUT -p IPV4 -s $macaddr -j ACCEPT
-A tap110i0-OUT -p ARP -s $macaddr -j ACCEPT
-A tap110i0-OUT -j DROP
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Vendredi 4 Juillet 2014 14:17:02
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
Am 04.07.2014 13:50, schrieb Stefan Priebe - Profihost AG:
> Am 04.07.2014 13:45, schrieb Alexandre DERUMIER:
>>>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even
>>>> though ip traffic will then never reach the VM he still can tell via arp
>>>> that this vm is for example the GW.
>>
>> Oh, ok, you are right !
>>
>> I'll make a patch for ebtables,it should be easy to implement.
This is an ugly hack to show what i mean.
ebtables hack:
http://pastebin.com/raw.php?i=LaLdg7nk
Stefan
More information about the pve-devel
mailing list