[pve-devel] PVE Firewall
Alexandre DERUMIER
aderumier at odiso.com
Mon Jun 16 09:28:53 CEST 2014
>>Still need to figure out why the firewall does not work for me at all.
Do you some special network setup ?
can you post your vmid.conf , full "#brctl show" ?
also, check that
/var/lib/qemu-server/pve-bridge
is corretly updated
(you should have
PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag}, $net->{firewall} at the end)
also QemuServer.pm should have
# netX: e1000=XX:XX:XX:XX:XX:XX,bridge=vmbr0,rate=<mbps>
sub parse_net {
my ($data) = @_;
my $res = {};
foreach my $kvp (split(/,/, $data)) {
if ($kvp =~ m/^(ne2k_pci|e1000|rtl8139|pcnet|virtio|ne2k_isa|i82551|i82557b|i82559er|vmxnet3)(=([0-9a-f]{2}(:[0-9a-f]{2}){5}))?$/i) {
my $model = lc($1);
my $mac = defined($3) ? uc($3) : PVE::Tools::random_ether_addr();
$res->{model} = $model;
$res->{macaddr} = $mac;
} elsif ($kvp =~ m/^bridge=(\S+)$/) {
$res->{bridge} = $1;
} elsif ($kvp =~ m/^queues=(\d+)$/) {
$res->{queues} = $1;
} elsif ($kvp =~ m/^rate=(\d+(\.\d+)?)$/) {
$res->{rate} = $1;
} elsif ($kvp =~ m/^tag=(\d+)$/) {
$res->{tag} = $1;
} elsif ($kvp =~ m/^firewall=(\d+)$/) {
$res->{firewall} = $1;
} else {
return undef;
}
}
return undef if !$res->{model};
return $res;
}
and Network.pm
sub tap_plug {
my ($iface, $bridge, $tag, $firewall) = @_;
#cleanup old port config from any openvswitch bridge
eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) };
if (-d "/sys/class/net/$bridge/bridge") {
&$cleanup_firewall_bridge($iface); # remove stale devices
my $newbridge = activate_bridge_vlan($bridge, $tag);
copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge;
$newbridge = &$create_firewall_bridge_linux($iface, $newbridge) if $firewall;
&$bridge_add_interface($newbridge, $iface);
} else {
&$cleanup_firewall_bridge($iface); # remove stale devices
if ($firewall) {
&$create_firewall_bridge_ovs($iface, $bridge, $tag);
} else {
&$ovs_bridge_add_port($bridge, $iface, $tag);
}
}
}
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com
Envoyé: Lundi 16 Juin 2014 09:21:34
Objet: Re: [pve-devel] PVE Firewall
Am 13.06.2014 20:33, schrieb Dietmar Maurer:
>> i would like to have different levels of firewall. Something the USER / VM Owner
>> can control and something the PVE Manage / Sysadmin can control.
>>
>> So i can give the user the ability to use the new cool firewall code but i can still
>> be shure that he doesn't use a DHCP Server, didn't disable the MAC filter and
>> doesn't fake IP adresses.
>>
>> Is this something we can archieve?
>>
>> May be some kind of "global" rules inside the cluster.fw? Which the user can't
>> touch?
>
> Maybe we can use the current permission system, and require special privileges
> to enable/disable those feature (firewall, macfilter).
That sounds great!
> We can also add an option to set default security groups:
>
> ---1000.fw---
> [options]
> groups: group1,group2,group3
> ...
> -------------
>
> Those groups are added before any other rule, and needs special privileges to set/modify.
>
> ?
That sounds great too ;-)
Still need to figure out why the firewall does not work for me at all.
Greets,
Stefan
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list