[pve-devel] firewall : cluster.fw [rules] section ?
Alexandre DERUMIER
aderumier at odiso.com
Mon Jul 7 13:30:47 CEST 2014
>>I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job.
Seem to works, I have create a simple layer2 filtering with
nft add rule bridge filter forward iifname tap123i0 log prefix \"testdrop\" drop
+ iptables running in parralel,
and it's works fine.
some notes:
ethernet protocol filtering can be manage with
# nft add rule bridge filter forward ether type 0x0800
I have a segfault with mac filtering
--------------------------------------
# mac source
add rule bridge filter forward iifname tap123i0 @ll,48,48 00:15:e9:f0:10:f8 counter
# mac dest
add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad counter
# mac source and mac dest
add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad @ll,48,48 00:15:e9:f0:10:f8 counter
Jul 7 13:24:36 kvmtest1 kernel: [ 9213.510642] nft[24469]: segfault at 0 ip 000000000040c647 sp 00007fffb7178620 error 4 in nft[400000+44000]
So, maybe it's a bug in current rhel kernel.
(I'll test with a 3.15 kernel)
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 7 Juillet 2014 10:24:13
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>>I really would love to see the mac filter for layer2 in the first
>>release. At least to me it's a pretty important thing. Otherwise the
>>current mac filter is pretty "useless".
>>
>>Stefan
I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job.
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 7 Juillet 2014 09:17:42
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
Hi,
Am 07.07.2014 07:46, schrieb Alexandre DERUMIER:
>>> My feeling is that we should use nft, else we will do all work twice.
>>>
> yes.
>
>>> But the current iptables implementation is a good start for the first release.
>
> I'll try to build a nftables rules sample manually to see what's missing.
> maybe can we release current iptables code for ipv4+ipset and later nftables for ipv4+ipv6+etables ?
I really would love to see the mac filter for layer2 in the first
release. At least to me it's a pretty important thing. Otherwise the
current mac filter is pretty "useless".
Stefan
> I think nft it's almost ready, 0.3 release note said that some parts are not yet ready
> (masquerading, unicast/multicast/broacast rules).
> So it should be ready in some months I think.
>
>
> "
> Ongoing works
> =============
>
> There are several open fronts in terms of development:
>
> * Full logging support for all the supported families (ip, ip6, arp,
> bridge and inet).
>
> * Masquerading support.
>
> * Better reject support, which allows you to indicate the explicit reject
> reason.
>
> * JSON/XML import.
>
> * reverse set lookups, eg.
>
> ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 }
> ^^
>
> * more new meta selectors, packet type (unicast, multicast and broadcast),
> cpu, physical interface, realm, etc.
>
> * support for concatenations - multidimensional exact matches in O(1) types
>
> * set selection - automatic selection of the optimal set
> implementation.
> "
>
>
>
>
>
>
>
>
> ----- Mail original -----
>
> De: "Dietmar Maurer" <dietmar at proxmox.com>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Lundi 7 Juillet 2014 06:02:08
> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ?
>
>> another interesting feature since nftables 0.2, is to be able to manage ipv4 and
>> ipv6
>> in the same filter table
>
> My feeling is that we should use nft, else we will do all work twice.
>
> But the current iptables implementation is a good start for the first release.
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list