[pve-devel] firewall : cluster.fw [rules] section ?
Alexandre DERUMIER
aderumier at odiso.com
Sun Jul 6 15:16:43 CEST 2014
I just try to build libnftnl-dev and nftables from jessie, and it's seem to works fin:
load rules (aka iptables-restore)
#nft -f /etc/nftables/ipv4-filter
save rules (aka iptables-save)
# nft list table filter
table ip filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Dimanche 6 Juillet 2014 14:13:43
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
also, I think the most interesting feature of nftables is vmap:
http://people.netfilter.org/wiki-nftables/index.php/Dictionaries
So, it's seem possible to jump directly to the vm tapchain, so a big performance improvement in our case!
something like (not sure about the syntax):
table ip filter {
chain forward {
meta oifname vmap { tap100i0 : jump tap100i0-chain, tap200i0 : jump tap200i0-chain, tap300i0 : jump tap300i0-chain}
}
chain tap100i0-chain {
}
chain tap200i0-chain {
}
chain tap300i0-chain {
}
}
also ipset seem to be native:
nft add set global myipset { type ipv4_address\;}
nft add element global myipset { 192.168.3.4 }
nft add element global myipset { 192.168.1.4, 192.168.1.5 }
I think we could try to manage a
$ruleset->{nftables}
in parralel of current iptables,ip6tables,ebtables
a do the switch (next year?) when we'll be sure that stability/features of nftables will be ok.
(I think redhat will remove the tech preview for rhel 7.1 or 7.2)
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Dimanche 6 Juillet 2014 12:07:21
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>>Looks good, but I think we should evaluate nftables now (instead of using all those different binaries).
>>I have no idea if it is already usable?
available since rhel7 rc2, but it's a techpreview
nftables has just been tagged to v0.3
http://git.netfilter.org/nftables/log/
and the only doc I found is
https://home.regit.org/netfilter-en/nftables-quick-howto/
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>, "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
Envoyé: Dimanche 6 Juillet 2014 05:32:01
Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ?
> BTW, I'll also rework my ipv6 patch.
>
> I thinked about extend $ruleset, to something like
>
> $ruleset->{iptables}->{filter}
> $ruleset->{iptables}->{nat}
> $ruleset->{ip6tables}->{filter}
> $ruleset->{ebtables}->{filter}
>
> Like this, we can manage multi commands and filters.
>
> What do you think about it ?
Looks good, but I think we should evaluate nftables now (instead of using all those different binaries).
I have no idea if it is already usable?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list