[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 7 18:01:32 CEST 2014


>>segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried 
>>to attach with gdb und the debug libs? 

just tested with 3.15 kernel, same problem.
So if maybe the problem come from nftables tools or libnftnl.

(I have the debug symbol for libnftnl).

Don't known how to debug with gbd ...



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 7 Juillet 2014 14:26:37 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

Am 07.07.2014 13:30, schrieb Alexandre DERUMIER: 
>>> I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job. 
> 
> Seem to works, I have create a simple layer2 filtering with 
> 
> nft add rule bridge filter forward iifname tap123i0 log prefix \"testdrop\" drop 
> 
> 
> + iptables running in parralel, 
> 
> and it's works fine. 
> 
> 
> 
> some notes: 
> 
> ethernet protocol filtering can be manage with 
> 
> # nft add rule bridge filter forward ether type 0x0800 
> 
> 
> 
> I have a segfault with mac filtering 
> -------------------------------------- 
> 
> # mac source 
> add rule bridge filter forward iifname tap123i0 @ll,48,48 00:15:e9:f0:10:f8 counter 
> # mac dest 
> add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad counter 
> # mac source and mac dest 
> add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad @ll,48,48 00:15:e9:f0:10:f8 counter 
> 
> 
> 
> Jul 7 13:24:36 kvmtest1 kernel: [ 9213.510642] nft[24469]: segfault at 0 ip 000000000040c647 sp 00007fffb7178620 error 4 in nft[400000+44000] 
> 
> 
> So, maybe it's a bug in current rhel kernel. 
> (I'll test with a 3.15 kernel) 

segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried 
to attach with gdb und the debug libs? 

Stefan 


> ----- Mail original ----- 
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 7 Juillet 2014 10:24:13 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
>>> I really would love to see the mac filter for layer2 in the first 
>>> release. At least to me it's a pretty important thing. Otherwise the 
>>> current mac filter is pretty "useless". 
>>> 
>>> Stefan 
> 
> I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job. 
> 
> 
> 
> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 7 Juillet 2014 09:17:42 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Hi, 
> 
> Am 07.07.2014 07:46, schrieb Alexandre DERUMIER: 
>>>> My feeling is that we should use nft, else we will do all work twice. 
>>>> 
>> yes. 
>> 
>>>> But the current iptables implementation is a good start for the first release. 
>> 
>> I'll try to build a nftables rules sample manually to see what's missing. 
>> maybe can we release current iptables code for ipv4+ipset and later nftables for ipv4+ipv6+etables ? 
> 
> I really would love to see the mac filter for layer2 in the first 
> release. At least to me it's a pretty important thing. Otherwise the 
> current mac filter is pretty "useless". 
> 
> Stefan 
> 
>> I think nft it's almost ready, 0.3 release note said that some parts are not yet ready 
>> (masquerading, unicast/multicast/broacast rules). 
>> So it should be ready in some months I think. 
>> 
>> 
>> " 
>> Ongoing works 
>> ============= 
>> 
>> There are several open fronts in terms of development: 
>> 
>> * Full logging support for all the supported families (ip, ip6, arp, 
>> bridge and inet). 
>> 
>> * Masquerading support. 
>> 
>> * Better reject support, which allows you to indicate the explicit reject 
>> reason. 
>> 
>> * JSON/XML import. 
>> 
>> * reverse set lookups, eg. 
>> 
>> ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 } 
>> ^^ 
>> 
>> * more new meta selectors, packet type (unicast, multicast and broadcast), 
>> cpu, physical interface, realm, etc. 
>> 
>> * support for concatenations - multidimensional exact matches in O(1) types 
>> 
>> * set selection - automatic selection of the optimal set 
>> implementation. 
>> " 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ----- Mail original ----- 
>> 
>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Lundi 7 Juillet 2014 06:02:08 
>> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 
>> 
>>> another interesting feature since nftables 0.2, is to be able to manage ipv4 and 
>>> ipv6 
>>> in the same filter table 
>> 
>> My feeling is that we should use nft, else we will do all work twice. 
>> 
>> But the current iptables implementation is a good start for the first release. 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 



More information about the pve-devel mailing list