[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe s.priebe at profihost.ag
Mon Jul 7 20:49:45 CEST 2014


Am 07.07.2014 18:16, schrieb Alexandre DERUMIER:
> I have filled a bugzilla:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=79601

Patrick McHardy :
"Please send to netfilter-devel, none of the netfilter developers is 
following bugzilla."

Stefan


> ----- Mail original -----
>
> De: "Alexandre DERUMIER" <aderumier at odiso.com>
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Lundi 7 Juillet 2014 18:01:32
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>
>>> segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried
>>> to attach with gdb und the debug libs?
>
> just tested with 3.15 kernel, same problem.
> So if maybe the problem come from nftables tools or libnftnl.
>
> (I have the debug symbol for libnftnl).
>
> Don't known how to debug with gbd ...
>
>
>
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Lundi 7 Juillet 2014 14:26:37
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>
> Am 07.07.2014 13:30, schrieb Alexandre DERUMIER:
>>>> I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job.
>>
>> Seem to works, I have create a simple layer2 filtering with
>>
>> nft add rule bridge filter forward iifname tap123i0 log prefix \"testdrop\" drop
>>
>>
>> + iptables running in parralel,
>>
>> and it's works fine.
>>
>>
>>
>> some notes:
>>
>> ethernet protocol filtering can be manage with
>>
>> # nft add rule bridge filter forward ether type 0x0800
>>
>>
>>
>> I have a segfault with mac filtering
>> --------------------------------------
>>
>> # mac source
>> add rule bridge filter forward iifname tap123i0 @ll,48,48 00:15:e9:f0:10:f8 counter
>> # mac dest
>> add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad counter
>> # mac source and mac dest
>> add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad @ll,48,48 00:15:e9:f0:10:f8 counter
>>
>>
>>
>> Jul 7 13:24:36 kvmtest1 kernel: [ 9213.510642] nft[24469]: segfault at 0 ip 000000000040c647 sp 00007fffb7178620 error 4 in nft[400000+44000]
>>
>>
>> So, maybe it's a bug in current rhel kernel.
>> (I'll test with a 3.15 kernel)
>
> segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried
> to attach with gdb und the debug libs?
>
> Stefan
>
>
>> ----- Mail original -----
>>
>> De: "Alexandre DERUMIER" <aderumier at odiso.com>
>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
>> Envoyé: Lundi 7 Juillet 2014 10:24:13
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>>
>>>> I really would love to see the mac filter for layer2 in the first
>>>> release. At least to me it's a pretty important thing. Otherwise the
>>>> current mac filter is pretty "useless".
>>>>
>>>> Stefan
>>
>> I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job.
>>
>>
>>
>> ----- Mail original -----
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com>
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
>> Envoyé: Lundi 7 Juillet 2014 09:17:42
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>>
>> Hi,
>>
>> Am 07.07.2014 07:46, schrieb Alexandre DERUMIER:
>>>>> My feeling is that we should use nft, else we will do all work twice.
>>>>>
>>> yes.
>>>
>>>>> But the current iptables implementation is a good start for the first release.
>>>
>>> I'll try to build a nftables rules sample manually to see what's missing.
>>> maybe can we release current iptables code for ipv4+ipset and later nftables for ipv4+ipv6+etables ?
>>
>> I really would love to see the mac filter for layer2 in the first
>> release. At least to me it's a pretty important thing. Otherwise the
>> current mac filter is pretty "useless".
>>
>> Stefan
>>
>>> I think nft it's almost ready, 0.3 release note said that some parts are not yet ready
>>> (masquerading, unicast/multicast/broacast rules).
>>> So it should be ready in some months I think.
>>>
>>>
>>> "
>>> Ongoing works
>>> =============
>>>
>>> There are several open fronts in terms of development:
>>>
>>> * Full logging support for all the supported families (ip, ip6, arp,
>>> bridge and inet).
>>>
>>> * Masquerading support.
>>>
>>> * Better reject support, which allows you to indicate the explicit reject
>>> reason.
>>>
>>> * JSON/XML import.
>>>
>>> * reverse set lookups, eg.
>>>
>>> ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 }
>>> ^^
>>>
>>> * more new meta selectors, packet type (unicast, multicast and broadcast),
>>> cpu, physical interface, realm, etc.
>>>
>>> * support for concatenations - multidimensional exact matches in O(1) types
>>>
>>> * set selection - automatic selection of the optimal set
>>> implementation.
>>> "
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ----- Mail original -----
>>>
>>> De: "Dietmar Maurer" <dietmar at proxmox.com>
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
>>> Envoyé: Lundi 7 Juillet 2014 06:02:08
>>> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ?
>>>
>>>> another interesting feature since nftables 0.2, is to be able to manage ipv4 and
>>>> ipv6
>>>> in the same filter table
>>>
>>> My feeling is that we should use nft, else we will do all work twice.
>>>
>>> But the current iptables implementation is a good start for the first release.
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel at pve.proxmox.com
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>



More information about the pve-devel mailing list