[pve-devel] PVE Firewall
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Mon Jun 16 09:31:55 CEST 2014
Am 16.06.2014 09:28, schrieb Alexandre DERUMIER:
>>> Still need to figure out why the firewall does not work for me at all.
>
> Do you some special network setup ?
Sorry i thought enabling firewall on cluster and on VM is enough. I did
not know that there is a 3rd option on each nic ;-(
Stefan
> can you post your vmid.conf , full "#brctl show" ?
>
>
> also, check that
> /var/lib/qemu-server/pve-bridge
>
> is corretly updated
>
> (you should have
> PVE::Network::tap_plug($iface, $net->{bridge}, $net->{tag}, $net->{firewall} at the end)
>
>
> also QemuServer.pm should have
>
> # netX: e1000=XX:XX:XX:XX:XX:XX,bridge=vmbr0,rate=<mbps>
> sub parse_net {
> my ($data) = @_;
>
> my $res = {};
>
> foreach my $kvp (split(/,/, $data)) {
>
> if ($kvp =~ m/^(ne2k_pci|e1000|rtl8139|pcnet|virtio|ne2k_isa|i82551|i82557b|i82559er|vmxnet3)(=([0-9a-f]{2}(:[0-9a-f]{2}){5}))?$/i) {
> my $model = lc($1);
> my $mac = defined($3) ? uc($3) : PVE::Tools::random_ether_addr();
> $res->{model} = $model;
> $res->{macaddr} = $mac;
> } elsif ($kvp =~ m/^bridge=(\S+)$/) {
> $res->{bridge} = $1;
> } elsif ($kvp =~ m/^queues=(\d+)$/) {
> $res->{queues} = $1;
> } elsif ($kvp =~ m/^rate=(\d+(\.\d+)?)$/) {
> $res->{rate} = $1;
> } elsif ($kvp =~ m/^tag=(\d+)$/) {
> $res->{tag} = $1;
> } elsif ($kvp =~ m/^firewall=(\d+)$/) {
> $res->{firewall} = $1;
> } else {
> return undef;
> }
>
> }
>
> return undef if !$res->{model};
>
> return $res;
> }
>
>
> and Network.pm
>
> sub tap_plug {
> my ($iface, $bridge, $tag, $firewall) = @_;
>
> #cleanup old port config from any openvswitch bridge
> eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) };
>
> if (-d "/sys/class/net/$bridge/bridge") {
> &$cleanup_firewall_bridge($iface); # remove stale devices
>
> my $newbridge = activate_bridge_vlan($bridge, $tag);
> copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge;
>
> $newbridge = &$create_firewall_bridge_linux($iface, $newbridge) if $firewall;
>
> &$bridge_add_interface($newbridge, $iface);
> } else {
> &$cleanup_firewall_bridge($iface); # remove stale devices
>
> if ($firewall) {
> &$create_firewall_bridge_ovs($iface, $bridge, $tag);
> } else {
> &$ovs_bridge_add_port($bridge, $iface, $tag);
> }
> }
> }
>
>
>
>
>
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com
> Envoyé: Lundi 16 Juin 2014 09:21:34
> Objet: Re: [pve-devel] PVE Firewall
>
> Am 13.06.2014 20:33, schrieb Dietmar Maurer:
>>> i would like to have different levels of firewall. Something the USER / VM Owner
>>> can control and something the PVE Manage / Sysadmin can control.
>>>
>>> So i can give the user the ability to use the new cool firewall code but i can still
>>> be shure that he doesn't use a DHCP Server, didn't disable the MAC filter and
>>> doesn't fake IP adresses.
>>>
>>> Is this something we can archieve?
>>>
>>> May be some kind of "global" rules inside the cluster.fw? Which the user can't
>>> touch?
>>
>> Maybe we can use the current permission system, and require special privileges
>> to enable/disable those feature (firewall, macfilter).
>
> That sounds great!
>
>> We can also add an option to set default security groups:
>>
>> ---1000.fw---
>> [options]
>> groups: group1,group2,group3
>> ...
>> -------------
>>
>> Those groups are added before any other rule, and needs special privileges to set/modify.
>>
>> ?
>
> That sounds great too ;-)
>
> Still need to figure out why the firewall does not work for me at all.
>
> Greets,
> Stefan
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list