[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Sun Jul 6 15:16:43 CEST 2014


I just try to build  libnftnl-dev and nftables from jessie, and it's seem to works fin:


load rules (aka iptables-restore)
#nft -f /etc/nftables/ipv4-filter 

save rules (aka iptables-save)
# nft list table filter
table ip filter {
	chain input {
		 type filter hook input priority 0;
	}

	chain forward {
		 type filter hook forward priority 0;
	}

	chain output {
		 type filter hook output priority 0;
	}
}
----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Dimanche 6 Juillet 2014 14:13:43 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

also, I think the most interesting feature of nftables is vmap: 

http://people.netfilter.org/wiki-nftables/index.php/Dictionaries 


So, it's seem possible to jump directly to the vm tapchain, so a big performance improvement in our case! 


something like (not sure about the syntax): 


table ip filter { 
chain forward { 

meta oifname vmap { tap100i0 : jump tap100i0-chain, tap200i0 : jump tap200i0-chain, tap300i0 : jump tap300i0-chain} 
} 

chain tap100i0-chain { 

} 

chain tap200i0-chain { 

} 

chain tap300i0-chain { 

} 
} 


also ipset seem to be native: 

nft add set global myipset { type ipv4_address\;} 
nft add element global myipset { 192.168.3.4 } 
nft add element global myipset { 192.168.1.4, 192.168.1.5 } 




I think we could try to manage a 

$ruleset->{nftables} 

in parralel of current iptables,ip6tables,ebtables 


a do the switch (next year?) when we'll be sure that stability/features of nftables will be ok. 
(I think redhat will remove the tech preview for rhel 7.1 or 7.2) 




----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Dimanche 6 Juillet 2014 12:07:21 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

>>Looks good, but I think we should evaluate nftables now (instead of using all those different binaries). 
>>I have no idea if it is already usable? 

available since rhel7 rc2, but it's a techpreview 

nftables has just been tagged to v0.3 
http://git.netfilter.org/nftables/log/ 


and the only doc I found is 
https://home.regit.org/netfilter-en/nftables-quick-howto/ 



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com>, "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
Envoyé: Dimanche 6 Juillet 2014 05:32:01 
Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 

> BTW, I'll also rework my ipv6 patch. 
> 
> I thinked about extend $ruleset, to something like 
> 
> $ruleset->{iptables}->{filter} 
> $ruleset->{iptables}->{nat} 
> $ruleset->{ip6tables}->{filter} 
> $ruleset->{ebtables}->{filter} 
> 
> Like this, we can manage multi commands and filters. 
> 
> What do you think about it ? 

Looks good, but I think we should evaluate nftables now (instead of using all those different binaries). 
I have no idea if it is already usable? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list