[pve-devel] pve-firewall : ebtables

Alexandre DERUMIER aderumier at odiso.com
Tue Jul 15 11:37:36 CEST 2014


>>1.) Is there any reason you generally allowed IPv4 and IPv6? Personally 
>>i would like to allow IPv4 but block IPv6. 

Do you want to do it by vm  or globally ?
In my ebtables patch, I just accept for ipv4 and ipv6 at the begin, to manage mac filtering at iptables level.
(for performance, because with conntrack established, we don't need to check each packet)





>>2.) Generally i would like to see the macfilter enabled for iptables and 
>>ebtables even if the network card has firewall=0 but the vm has 
>>firewall=1. Does this makes sense? 

It's possible, but we also want do bypass iptables/ebtables for non firewall vms.
Because they are performance impact to parse each chain sequentially in iptables,
(nftables improve that).

so, if you have for example 100 mac filter taps, a non firewall tap will crawl the 100 rules, before accept.


Note that I think we could do it for arp,and other layer2 protocol. This are not too much traffic.





----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mardi 15 Juillet 2014 10:48:34 
Objet: Re: [pve-devel] pve-firewall : ebtables 


Am 15.07.2014 06:39, schrieb Alexandre Derumier: 
> Hi, 
> here the ebtables patches, details are in commits. 
> 
> Please comment, feel free to change and adapt them. 

Some questions: 
1.) Is there any reason you generally allowed IPv4 and IPv6? Personally 
i would like to allow IPv4 but block IPv6. 

2.) Generally i would like to see the macfilter enabled for iptables and 
ebtables even if the network card has firewall=0 but the vm has 
firewall=1. Does this makes sense? 

Stefan 


More information about the pve-devel mailing list