[pve-devel] firewall : cluster.fw [rules] section ?
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Fri Jul 4 15:12:49 CEST 2014
Am 04.07.2014 15:07, schrieb Alexandre DERUMIER:
>>> This is an ugly hack to show what i mean.
>>>
>>> ebtables hack:
>>> http://pastebin.com/raw.php?i=LaLdg7nk
>
> Ok.
>
> I'll keep the current logic,
> generate the rules and push them at the end
>
> "etables --atomic-commit"
>
> seem to works like iptables-save
>
> also, keep the tapchain, something like
>
> -A FORWARD -o tap110i0 -j tap110i0-OUT
> -A tap110i0-OUT -s $macaddr -j ACCEPT #if all protocol are allowed
> -A tap110i0-OUT -p IPV4 -s $macaddr -j ACCEPT
> -A tap110i0-OUT -p ARP -s $macaddr -j ACCEPT
> -A tap110i0-OUT -j DROP
looks great
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Vendredi 4 Juillet 2014 14:17:02
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>
> Am 04.07.2014 13:50, schrieb Stefan Priebe - Profihost AG:
>> Am 04.07.2014 13:45, schrieb Alexandre DERUMIER:
>>>>> What about ARP traffic? Smoeone can claim he is another mac in ARP. Even
>>>>> though ip traffic will then never reach the VM he still can tell via arp
>>>>> that this vm is for example the GW.
>>>
>>> Oh, ok, you are right !
>>>
>>> I'll make a patch for ebtables,it should be easy to implement.
>
> This is an ugly hack to show what i mean.
>
> ebtables hack:
> http://pastebin.com/raw.php?i=LaLdg7nk
>
> Stefan
>
More information about the pve-devel
mailing list