[pve-devel] pvefw: masquerade problems and conntrack zones

Dietmar Maurer dietmar at proxmox.com
Mon Mar 10 09:09:32 CET 2014


The following configuration to MASQUERADE traffic is known to work:

------------
auto vmbr1
iface vmbr1 inet static
      address 10.10.10.1
      netmask 255.255.255.0
      bridge_ports none
      bridge_stp off
      bridge_fd 0
      post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
      post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
--------------

But this is a 'routed' configuration, so 'physdev' match does not work correctly.

So I tried to use the 'veth' workaround:

----------
auto vmbr1
iface vmbr1 inet manual
      bridge_ports none
      bridge_stp off
      bridge_fd 0

auto pm1
iface pm1 inet static
       address 10.10.10.1
       netmask 255.255.255.0
       VETH_BRIDGETO vmbr1
       post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
       post-down iptables -t nat -F POSTROUTING
----------

This works, but fails as soon as soon as I enable nf filter on the bridge (starting pvefw).

I found out that I can make it work by using CT zones:

----------
auto vmbr1
iface vmbr1 inet manual
      bridge_ports none
      bridge_stp off
      bridge_fd 0

auto pm1
iface pm1 inet static
       address 10.10.10.1
       netmask 255.255.255.0
       VETH_BRIDGETO vmbr1
       post-up   iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1 # why do we need this?
       post-up   iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1 # why do we need this?
       post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
       post-down iptables -t nat -F POSTROUTING
       post-down iptables -t raw -F PREROUTING
----------

But I do not understand this. Why is that required? Is that the correct way to do it?






More information about the pve-devel mailing list