[pve-devel] [PATCH] add ips feature v2
Alexandre DERUMIER
aderumier at odiso.com
Mon Mar 17 13:37:34 CET 2014
>>We use '-j ACCEPT' at many places. Each of those calls will bypass the ips?
>>So shouldn't we replace all occurrences of '-J ACCEPT'?
I only replace when connection is established for now,
but I think we can replace the -J ACCEPT in tap-in chains without problem.
and in vmbrX-FW chain too.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Lundi 17 Mars 2014 13:02:54
Objet: RE: [pve-devel] [PATCH] add ips feature v2
We use '-j ACCEPT' at many places. Each of those calls will bypass the ips?
So shouldn't we replace all occurrences of '-J ACCEPT'?
> This add ips (like suricata) support through nfqueues.
>
> this create a new chain PVEFW-Accept
>
> -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
> PVEFW-Accept
> -A PVEFW-Accept -m physdev --physdev-out tapxxx --physdev-is-bridged -j
> NFQUEUE --queue-num 0 --queue-bypass
> -A PVEFW-Accept -m physdev --physdev-out tapxxx --physdev-is-bridged -j
> NFQUEUE --queue-num 0 --queue-bypass
> -A PVEFW-Accept -j ACCEPT
>
> it's using --queue-bypass (only available in 3.10 kernel), so it's suricata
> daemon is down,
> packets are not dropped.
More information about the pve-devel
mailing list