[pve-devel] pvefw: masquerade problems and conntrack zones

Alexandre DERUMIER aderumier at odiso.com
Mon Mar 10 14:50:50 CET 2014 

>>Oh, I have a second bridge configured as: 

oh,ok.

so, it seem that

>>iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -j LOG --log-prefix "MASQTEST: " 

show, that packet with source 10.10.10.0/24 in POSTROUTING, is tested against each output interface (maybe interfaces with ip adress configured)?

>>Mar 10 11:25:34 lola kernel: [259254.043987] MASQTEST: IN= OUT=vmbr1 PHYSIN=tap116i0 PHYSOUT=pm1peer SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 SEQ=1 >>MARK=0x1 
>>Mar 10 11:25:34 lola kernel: [259254.044020] MASQTEST: IN= OUT=pm0 SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 SEQ=1

then

>> post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE

is doing his job, to nat only on pm0


now, I don't known for the --zone 1 .....
(So it doesn't work on 2.6.32 without --zone 1 ?)


 

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 10 Mars 2014 12:36:39 
Objet: RE: pvefw: masquerade problems and conntrack zones 

> >>So it seem that now the POSTROUTING chain gets called twice. The second 
> call has the correct output interface. 
> 
> what is pm0 vs pm1peer ? 

Oh, I have a second bridge configured as: 

auto vmbr0 
iface vmbr0 inet manual 
bridge_ports bond0 
bridge_stp off 
bridge_fd 0 

auto pm0 
iface pm0 inet static 
... 
VETH_BRIDGETO vmbr0 


My ifupdown.sh helper script creates a veth interface with: 

ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1 

same for pm1 

> 
> 
> >>I am a bit scared, because the whole thing is not documented. Are there 
> other projects using such setup? 
> afaik, openstack and cloudstack managed only bridged firewall, I don't have 
> see nat implementation.(I'll check that today) 
> 
> ----- Mail original ----- 
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" 
> <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Lundi 10 Mars 2014 11:36:33 
> Objet: RE: pvefw: masquerade problems and conntrack zones 
> 
> > > post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j 
> > > CT --zone 
> > > 1 # why do we need this? 
> > > post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j 
> > > CT -- zone 1 # why do we need this? 
> > > post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j 
> > > MASQUERADE >> apply on default zone 0 
> > > 
> > > 
> > > so, that should mean that apply -j MASQUERADE don't apply on vmbr1 
> > > with zone 1 
> > 
> > Sure, but why is that required? Are there negative side effects? Any 
> > ideas? I have not found any documentation. 
> 
> My guess is that POSTROUTING chain gets called to early (because bridge 
> filter is enabled). Using: 
> 
> auto pm1 
> iface pm1 inet static 
> address 10.10.10.1 
> netmask 255.255.255.0 
> VETH_BRIDGETO vmbr1 
> ##disabled# post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i 
> vmbr1 -j CT --zone 1 ##disabled# post-up iptables -t raw -A PREROUTING -d 
> '10.10.10.0/24' -i vmbr1 -j CT --zone 1 post-up iptables -t nat -A 
> POSTROUTING -s '10.10.10.0/24' -j LOG --log-prefix "MASQTEST: " 
> post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j 
> MASQUERADE post-down iptables -t nat -F POSTROUTING post-down 
> iptables -t raw -F PREROUTING 
> 
> A simple ping results in this log: 
> 
> Mar 10 11:26:17 lola kernel: [259296.464749] MASQTEST: IN= OUT=vmbr1 
> PHYSIN=tap116i0 PHYSOUT=pm1peer SRC=10.10.10.3 DST=8.8.8.8 LEN=84 
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5645 
> SEQ=1 MARK=0x1 
> 
> Note: "-o pm0 -j MASQUERADE" does not trigger at all! 
> 
> If I enable zones I get: 
> 
> Mar 10 11:25:34 lola kernel: [259254.043987] MASQTEST: IN= OUT=vmbr1 
> PHYSIN=tap116i0 PHYSOUT=pm1peer SRC=10.10.10.3 DST=8.8.8.8 LEN=84 
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 
> SEQ=1 MARK=0x1 Mar 10 11:25:34 lola kernel: [259254.044020] MASQTEST: 
> IN= OUT=pm0 SRC=10.10.10.3 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 
> TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5639 SEQ=1 
> 
> So it seem that now the POSTROUTING chain gets called twice. The second 
> call has the correct output interface. 
> 
> I am a bit scared, because the whole thing is not documented. Are there 
> other projects using such setup?

More information about the pve-devel mailing list