[pve-devel] pvefw: using ctmark to associacte connections to VMs

Alexandre DERUMIER aderumier at odiso.com
Sun Mar 2 09:00:38 CET 2014 

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5d0aa2ccd4699a01cfdf14886191c249d7b45a01

netfilter: nf_conntrack: add support for "conntrack zones"
Normally, each connection needs a unique identity. Conntrack zones allow
to specify a numerical zone using the CT target, connections in different
zones can use the same identity.

Example:

iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1
iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Dimanche 2 Mars 2014 08:45:23 
Objet: Re: [pve-devel] pvefw: using ctmark to associacte connections to VMs 

>>That is why I want to set ctmark with iptables (that is listed in /proc/net/nf_conntrack). 

They are also the "zone" field in /proc/net/nf_conntrack 

according to 
https://lwn.net/Articles/370152/ 
" 
A zone is simply a numerical identifier associated with a network 
device that is incorporated into the various hashes and used to 
distinguish entries in addition to the connection tuples. Additionally 
it is used to seperate conntrack defragmentation queues. An iptables 
target for the raw table could be used alternatively to the network 
device for assigning conntrack entries to zones. 
" 


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Samedi 1 Mars 2014 14:17:45 
Objet: RE: pvefw: using ctmark to associacte connections to VMs 


> >>So that we can parse /proc/net/nf_conntrack to list open connections for 
> a VM. 
> 
> I'm not sure, but I think you don't have interfaces listed in nf_conntrack, 
> only ip src,ip dst. 

That is why I want to set ctmark with iptables (that is listed in /proc/net/nf_conntrack). 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list