[pve-devel] pve-firewall : add ipfilter protection
Alexandre DERUMIER
aderumier at odiso.com
Wed Jun 11 16:03:18 CEST 2014
>>Thanks - will try that but how to bind this to mac addressesv or network
>>interfaces? I mean a user can have multiple network interfaces.
mac filter is done from vm config file (net0 : ...).
but indeed, maybe it could be great to have an ipset by interface
[IPSET ipfilter-net0] for example
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 11 Juin 2014 15:53:42
Objet: Re: [pve-devel] pve-firewall : add ipfilter protection
Am 11.06.2014 15:49, schrieb Alexandre DERUMIER:
>>> Can you please give me an example how to limit a user to a specific ip
>>> with your commit?
>
> Do have read the code, but it should be
>
> in /etc/pve/firewall/vmid.fw
>
>
> [IPSET ipfilter]
> 192.168.0.1
> 10.0.0.0/8
> ....
Thanks - will try that but how to bind this to mac addressesv or network
interfaces? I mean a user can have multiple network interfaces.
Maybe he is allowed to use IPA on net0 and IPB on net1 but not IPB on net0.
Greets,
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Mercredi 11 Juin 2014 15:30:18
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection
>
>
> Am 11.06.2014 10:07, schrieb Dietmar Maurer:
>>>>> Would it make sense to also allow ip/mask notation so pve knows more about
>>> the network? May be display user ip settings?
>>>
>>> Don't have tested, but I think it should work. I'll test that today.
>>
>> I just applied a simplified version of your patch.
>>
>> I simply apply the filter if the VM firewall configuration defines a ipset named 'ipfilter'.
>>
>> This works with venet and tap devices, and does not require any change in qemu-server config.
>>
>> Does that work for you?
>
> Can you please give me an example how to limit a user to a specific ip
> with your commit?
>
> Which lines do i have to insert into which files?
>
> Thanks!
>
> Greets,
> Stefan
>
More information about the pve-devel
mailing list