[pve-devel] pve-firewall : ebtables
Alexandre DERUMIER
aderumier at odiso.com
Tue Jul 15 11:37:36 CEST 2014
>>1.) Is there any reason you generally allowed IPv4 and IPv6? Personally
>>i would like to allow IPv4 but block IPv6.
Do you want to do it by vm or globally ?
In my ebtables patch, I just accept for ipv4 and ipv6 at the begin, to manage mac filtering at iptables level.
(for performance, because with conntrack established, we don't need to check each packet)
>>2.) Generally i would like to see the macfilter enabled for iptables and
>>ebtables even if the network card has firewall=0 but the vm has
>>firewall=1. Does this makes sense?
It's possible, but we also want do bypass iptables/ebtables for non firewall vms.
Because they are performance impact to parse each chain sequentially in iptables,
(nftables improve that).
so, if you have for example 100 mac filter taps, a non firewall tap will crawl the 100 rules, before accept.
Note that I think we could do it for arp,and other layer2 protocol. This are not too much traffic.
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Mardi 15 Juillet 2014 10:48:34
Objet: Re: [pve-devel] pve-firewall : ebtables
Am 15.07.2014 06:39, schrieb Alexandre Derumier:
> Hi,
> here the ebtables patches, details are in commits.
>
> Please comment, feel free to change and adapt them.
Some questions:
1.) Is there any reason you generally allowed IPv4 and IPv6? Personally
i would like to allow IPv4 but block IPv6.
2.) Generally i would like to see the macfilter enabled for iptables and
ebtables even if the network card has firewall=0 but the vm has
firewall=1. Does this makes sense?
Stefan
More information about the pve-devel
mailing list