[pve-devel] [PATCH] add ips feature
Alexandre DERUMIER
aderumier at odiso.com
Mon Mar 17 08:14:29 CET 2014
Well, we jump to NFQUEUE in tap chains.
If we ACCEPT at begin of forward, we bypass ip.
and we jump to NFQUEUE at begin of forward, we are going to ips for all vms (I want to enable it by vm)
I just notice a bug, if sourcevm out (ips:0) -> sourcevm in (ips:1)
it'll do an accept in tap-out, and bypass the ips.
I'll rework my patch.
(something like
PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j IPSCHAIN
IPSCHAIN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j NFQUEUE
IPSCHAIN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j NFQUEUE
IPSCHAIN -j ACCEPT
)
should be faster too
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Lundi 17 Mars 2014 07:10:20
Objet: RE: [pve-devel] [PATCH] add ips feature
> # fixme: this is an optimization? if so, we should also drop INVALID
> packages?
> - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT");
> -
> + if(!$ips_enable){
> + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --
> ctstate RELATED,ESTABLISHED -j ACCEPT");
> + }
What happens here if ips is enabled? Don't we need to jump to NFQUEUE?
More information about the pve-devel
mailing list