[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Mon Jul 7 14:26:37 CEST 2014


Am 07.07.2014 13:30, schrieb Alexandre DERUMIER:
>>> I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job. 
> 
> Seem to works, I have create a simple layer2 filtering with
> 
> nft add rule bridge filter forward iifname tap123i0 log prefix \"testdrop\" drop
> 
> 
> + iptables running in parralel,
> 
> and it's works fine.
> 
> 
> 
> some notes:
> 
> ethernet protocol filtering can be manage with 
> 
> # nft add rule bridge filter forward ether type 0x0800 
> 
> 
> 
> I have a segfault with mac filtering
> --------------------------------------
> 
> # mac source
> add rule bridge filter forward iifname tap123i0 @ll,48,48 00:15:e9:f0:10:f8 counter
> # mac dest
> add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad counter
> # mac source and mac dest
> add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad  @ll,48,48 00:15:e9:f0:10:f8  counter
> 
> 
> 
> Jul  7 13:24:36 kvmtest1 kernel: [ 9213.510642] nft[24469]: segfault at 0 ip 000000000040c647 sp 00007fffb7178620 error 4 in nft[400000+44000]
> 
> 
> So, maybe it's a bug in current rhel kernel.
> (I'll test with a 3.15 kernel)

segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried
to attach with gdb und the debug libs?

Stefan


> ----- Mail original ----- 
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 7 Juillet 2014 10:24:13 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
>>> I really would love to see the mac filter for layer2 in the first 
>>> release. At least to me it's a pretty important thing. Otherwise the 
>>> current mac filter is pretty "useless". 
>>>
>>> Stefan 
> 
> I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job. 
> 
> 
> 
> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 7 Juillet 2014 09:17:42 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Hi, 
> 
> Am 07.07.2014 07:46, schrieb Alexandre DERUMIER: 
>>>> My feeling is that we should use nft, else we will do all work twice. 
>>>>
>> yes. 
>>
>>>> But the current iptables implementation is a good start for the first release. 
>>
>> I'll try to build a nftables rules sample manually to see what's missing. 
>> maybe can we release current iptables code for ipv4+ipset and later nftables for ipv4+ipv6+etables ? 
> 
> I really would love to see the mac filter for layer2 in the first 
> release. At least to me it's a pretty important thing. Otherwise the 
> current mac filter is pretty "useless". 
> 
> Stefan 
> 
>> I think nft it's almost ready, 0.3 release note said that some parts are not yet ready 
>> (masquerading, unicast/multicast/broacast rules). 
>> So it should be ready in some months I think. 
>>
>>
>> " 
>> Ongoing works 
>> ============= 
>>
>> There are several open fronts in terms of development: 
>>
>> * Full logging support for all the supported families (ip, ip6, arp, 
>> bridge and inet). 
>>
>> * Masquerading support. 
>>
>> * Better reject support, which allows you to indicate the explicit reject 
>> reason. 
>>
>> * JSON/XML import. 
>>
>> * reverse set lookups, eg. 
>>
>> ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 } 
>> ^^ 
>>
>> * more new meta selectors, packet type (unicast, multicast and broadcast), 
>> cpu, physical interface, realm, etc. 
>>
>> * support for concatenations - multidimensional exact matches in O(1) types 
>>
>> * set selection - automatic selection of the optimal set 
>> implementation. 
>> " 
>>
>>
>>
>>
>>
>>
>>
>>
>> ----- Mail original ----- 
>>
>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Lundi 7 Juillet 2014 06:02:08 
>> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 
>>
>>> another interesting feature since nftables 0.2, is to be able to manage ipv4 and 
>>> ipv6 
>>> in the same filter table 
>>
>> My feeling is that we should use nft, else we will do all work twice. 
>>
>> But the current iptables implementation is a good start for the first release. 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 


More information about the pve-devel mailing list