[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Fri Jul 4 15:12:49 CEST 2014


Am 04.07.2014 15:07, schrieb Alexandre DERUMIER:
>>> This is an ugly hack to show what i mean. 
>>>
>>> ebtables hack: 
>>> http://pastebin.com/raw.php?i=LaLdg7nk 
> 
> Ok.
> 
> I'll keep the current logic,
> generate the rules and push them at the end
> 
> "etables --atomic-commit"
> 
> seem to works like iptables-save
> 
> also, keep the tapchain, something like
> 
> -A FORWARD -o tap110i0 -j tap110i0-OUT
>   -A tap110i0-OUT -s $macaddr -j ACCEPT   #if all protocol are allowed
>   -A tap110i0-OUT -p IPV4 -s $macaddr -j ACCEPT
>   -A tap110i0-OUT -p ARP -s $macaddr -j ACCEPT
>   -A tap110i0-OUT -j DROP

looks great

Stefan


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Vendredi 4 Juillet 2014 14:17:02 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Am 04.07.2014 13:50, schrieb Stefan Priebe - Profihost AG: 
>> Am 04.07.2014 13:45, schrieb Alexandre DERUMIER: 
>>>>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even 
>>>>> though ip traffic will then never reach the VM he still can tell via arp 
>>>>> that this vm is for example the GW. 
>>>
>>> Oh, ok, you are right ! 
>>>
>>> I'll make a patch for ebtables,it should be easy to implement. 
> 
> This is an ugly hack to show what i mean. 
> 
> ebtables hack: 
> http://pastebin.com/raw.php?i=LaLdg7nk 
> 
> Stefan 
> 



More information about the pve-devel mailing list