[pve-devel] pve-firewall : add ipfilter protection

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Wed Jun 11 15:53:42 CEST 2014


Am 11.06.2014 15:49, schrieb Alexandre DERUMIER:
>>> Can you please give me an example how to limit a user to a specific ip
>>> with your commit?
> 
> Do have read the code, but it should be
> 
> in /etc/pve/firewall/vmid.fw
> 
> 
> [IPSET ipfilter]
> 192.168.0.1
> 10.0.0.0/8
> ....

Thanks - will try that but how to bind this to mac addressesv or network
interfaces? I mean a user can have multiple network interfaces.

Maybe he is allowed to use IPA on net0 and IPB on net1 but not IPB on net0.

Greets,
Stefan


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 11 Juin 2014 15:30:18 
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection 
> 
> 
> Am 11.06.2014 10:07, schrieb Dietmar Maurer: 
>>>>> Would it make sense to also allow ip/mask notation so pve knows more about 
>>> the network? May be display user ip settings? 
>>>
>>> Don't have tested, but I think it should work. I'll test that today. 
>>
>> I just applied a simplified version of your patch. 
>>
>> I simply apply the filter if the VM firewall configuration defines a ipset named 'ipfilter'. 
>>
>> This works with venet and tap devices, and does not require any change in qemu-server config. 
>>
>> Does that work for you? 
> 
> Can you please give me an example how to limit a user to a specific ip 
> with your commit? 
> 
> Which lines do i have to insert into which files? 
> 
> Thanks! 
> 
> Greets, 
> Stefan 
> 



More information about the pve-devel mailing list