[pve-devel] pvefw: using ctmark to associacte connections to VMs

[Alexandre DERUMIER]

Another Idea :

It's possible with ipset, to dynamicaly add to ipset ipmap, an src ip from a iptables match


"iptables -m mac --mac-source $macaddr -j SET --add-set tapxxxipmap src"



So, maybe is it possible to create 1 ipset ipmap by tap device, and in tap-out chain, add src(s) to tap ipset.

Like this, we can have the list of all ips of all tap interfaces.


so, it's easy to parse conntrack list, and find ips in ipsets.


I never test this, but I think it should work.



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Dimanche 2 Mars 2014 18:09:51 
Objet: Re: [pve-devel] pvefw: using ctmark to associacte connections to VMs 

>>Bu t i just noticed that we need 2 different marks, because we can traffic 
>>from VM1 to VM2. So we need 2 marks/zones? 

Yes, in 1line conntrack line, you have in/out. not sure how to implemented that, as they are only 1 mark or 1 zone field. 


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Dimanche 2 Mars 2014 09:07:19 
Objet: RE: [pve-devel] pvefw: using ctmark to associacte connections to VMs 

Thanks for that link. 

Bu t i just noticed that we need 2 different marks, because we can traffic 
from VM1 to VM2. So we need 2 marks/zones? 

> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5 
> d0aa2ccd4699a01cfdf14886191c249d7b45a01 
> 
> netfilter: nf_conntrack: add support for "conntrack zones" 
> Normally, each connection needs a unique identity. Conntrack zones allow 
> to specify a numerical zone using the CT target, connections in different 
> zones can use the same identity. 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel