[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 7 13:30:47 CEST 2014


>>I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job. 

Seem to works, I have create a simple layer2 filtering with

nft add rule bridge filter forward iifname tap123i0 log prefix \"testdrop\" drop


+ iptables running in parralel,

and it's works fine.



some notes:

ethernet protocol filtering can be manage with 

# nft add rule bridge filter forward ether type 0x0800 



I have a segfault with mac filtering
--------------------------------------

# mac source
add rule bridge filter forward iifname tap123i0 @ll,48,48 00:15:e9:f0:10:f8 counter
# mac dest
add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad counter
# mac source and mac dest
add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad  @ll,48,48 00:15:e9:f0:10:f8  counter



Jul  7 13:24:36 kvmtest1 kernel: [ 9213.510642] nft[24469]: segfault at 0 ip 000000000040c647 sp 00007fffb7178620 error 4 in nft[400000+44000]


So, maybe it's a bug in current rhel kernel.
(I'll test with a 3.15 kernel)



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 7 Juillet 2014 10:24:13 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

>>I really would love to see the mac filter for layer2 in the first 
>>release. At least to me it's a pretty important thing. Otherwise the 
>>current mac filter is pretty "useless". 
>> 
>>Stefan 

I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job. 



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 7 Juillet 2014 09:17:42 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

Hi, 

Am 07.07.2014 07:46, schrieb Alexandre DERUMIER: 
>>> My feeling is that we should use nft, else we will do all work twice. 
>>> 
> yes. 
> 
>>> But the current iptables implementation is a good start for the first release. 
> 
> I'll try to build a nftables rules sample manually to see what's missing. 
> maybe can we release current iptables code for ipv4+ipset and later nftables for ipv4+ipv6+etables ? 

I really would love to see the mac filter for layer2 in the first 
release. At least to me it's a pretty important thing. Otherwise the 
current mac filter is pretty "useless". 

Stefan 

> I think nft it's almost ready, 0.3 release note said that some parts are not yet ready 
> (masquerading, unicast/multicast/broacast rules). 
> So it should be ready in some months I think. 
> 
> 
> " 
> Ongoing works 
> ============= 
> 
> There are several open fronts in terms of development: 
> 
> * Full logging support for all the supported families (ip, ip6, arp, 
> bridge and inet). 
> 
> * Masquerading support. 
> 
> * Better reject support, which allows you to indicate the explicit reject 
> reason. 
> 
> * JSON/XML import. 
> 
> * reverse set lookups, eg. 
> 
> ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 } 
> ^^ 
> 
> * more new meta selectors, packet type (unicast, multicast and broadcast), 
> cpu, physical interface, realm, etc. 
> 
> * support for concatenations - multidimensional exact matches in O(1) types 
> 
> * set selection - automatic selection of the optimal set 
> implementation. 
> " 
> 
> 
> 
> 
> 
> 
> 
> 
> ----- Mail original ----- 
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 7 Juillet 2014 06:02:08 
> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
>> another interesting feature since nftables 0.2, is to be able to manage ipv4 and 
>> ipv6 
>> in the same filter table 
> 
> My feeling is that we should use nft, else we will do all work twice. 
> 
> But the current iptables implementation is a good start for the first release. 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list