[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Sun Jul 6 19:41:00 CEST 2014


Just done some test, seem that nft syntax is not stable yet, 
some minors syntax changes occurs between differents release from last 6months.


another interesting feature since nftables 0.2, is to be able to manage ipv4 and ipv6
in the same filter table

"
nft -f /etc/nftables/inet-filter 

Rules in the inet family can apply to either just IPv4, just IPv6 or 
both types of packets: 

nft inet filter input ip saddr 192.168.0.0/24 jump from_lan 
nft inet filter input ip6 saddr 2001::/64 jump from_lan 
nft inet filter input tcp dport ssh accept 
nft inet filter input iif lo accept 
"

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Dimanche 6 Juillet 2014 15:16:43 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

I just try to build libnftnl-dev and nftables from jessie, and it's seem to works fin: 


load rules (aka iptables-restore) 
#nft -f /etc/nftables/ipv4-filter 

save rules (aka iptables-save) 
# nft list table filter 
table ip filter { 
chain input { 
type filter hook input priority 0; 
} 

chain forward { 
type filter hook forward priority 0; 
} 

chain output { 
type filter hook output priority 0; 
} 
} 
----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Dimanche 6 Juillet 2014 14:13:43 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

also, I think the most interesting feature of nftables is vmap: 

http://people.netfilter.org/wiki-nftables/index.php/Dictionaries 


So, it's seem possible to jump directly to the vm tapchain, so a big performance improvement in our case! 


something like (not sure about the syntax): 


table ip filter { 
chain forward { 

meta oifname vmap { tap100i0 : jump tap100i0-chain, tap200i0 : jump tap200i0-chain, tap300i0 : jump tap300i0-chain} 
} 

chain tap100i0-chain { 

} 

chain tap200i0-chain { 

} 

chain tap300i0-chain { 

} 
} 


also ipset seem to be native: 

nft add set global myipset { type ipv4_address\;} 
nft add element global myipset { 192.168.3.4 } 
nft add element global myipset { 192.168.1.4, 192.168.1.5 } 




I think we could try to manage a 

$ruleset->{nftables} 

in parralel of current iptables,ip6tables,ebtables 


a do the switch (next year?) when we'll be sure that stability/features of nftables will be ok. 
(I think redhat will remove the tech preview for rhel 7.1 or 7.2) 




----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Dimanche 6 Juillet 2014 12:07:21 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

>>Looks good, but I think we should evaluate nftables now (instead of using all those different binaries). 
>>I have no idea if it is already usable? 

available since rhel7 rc2, but it's a techpreview 

nftables has just been tagged to v0.3 
http://git.netfilter.org/nftables/log/ 


and the only doc I found is 
https://home.regit.org/netfilter-en/nftables-quick-howto/ 



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com>, "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
Envoyé: Dimanche 6 Juillet 2014 05:32:01 
Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 

> BTW, I'll also rework my ipv6 patch. 
> 
> I thinked about extend $ruleset, to something like 
> 
> $ruleset->{iptables}->{filter} 
> $ruleset->{iptables}->{nat} 
> $ruleset->{ip6tables}->{filter} 
> $ruleset->{ebtables}->{filter} 
> 
> Like this, we can manage multi commands and filters. 
> 
> What do you think about it ? 

Looks good, but I think we should evaluate nftables now (instead of using all those different binaries). 
I have no idea if it is already usable? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 


More information about the pve-devel mailing list