[pve-devel] pvefw: masquerade problems and conntrack zones

Alexandre DERUMIER aderumier at odiso.com
Mon Mar 10 11:01:24 CET 2014 

Hi,

I'm back from holiday !


>>But I do not understand this. Why is that required? Is that the correct way to do it? 

I'm not sure, but


post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1 # why do we need this? 
post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1 # why do we need this? 
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE   >> apply on default zone 0


so, that should mean that apply -j MASQUERADE don't apply on vmbr1 with zone 1





----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 10 Mars 2014 09:09:32 
Objet: pvefw: masquerade problems and conntrack zones 

The following configuration to MASQUERADE traffic is known to work: 

------------ 
auto vmbr1 
iface vmbr1 inet static 
address 10.10.10.1 
netmask 255.255.255.0 
bridge_ports none 
bridge_stp off 
bridge_fd 0 
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE 
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE 
-------------- 

But this is a 'routed' configuration, so 'physdev' match does not work correctly. 

So I tried to use the 'veth' workaround: 

---------- 
auto vmbr1 
iface vmbr1 inet manual 
bridge_ports none 
bridge_stp off 
bridge_fd 0 

auto pm1 
iface pm1 inet static 
address 10.10.10.1 
netmask 255.255.255.0 
VETH_BRIDGETO vmbr1 
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE 
post-down iptables -t nat -F POSTROUTING 
---------- 

This works, but fails as soon as soon as I enable nf filter on the bridge (starting pvefw). 

I found out that I can make it work by using CT zones: 

---------- 
auto vmbr1 
iface vmbr1 inet manual 
bridge_ports none 
bridge_stp off 
bridge_fd 0 

auto pm1 
iface pm1 inet static 
address 10.10.10.1 
netmask 255.255.255.0 
VETH_BRIDGETO vmbr1 
post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1 # why do we need this? 
post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1 # why do we need this? 
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE 
post-down iptables -t nat -F POSTROUTING 
post-down iptables -t raw -F PREROUTING 
---------- 

But I do not understand this. Why is that required? Is that the correct way to do it?

More information about the pve-devel mailing list