[pve-devel] [PATCH] add ips feature v3

Alexandre DERUMIER aderumier at odiso.com
Tue Mar 18 09:14:10 CET 2014 

>>You use this chain unconditionally, so we slow down things when the IPS is not active. 
>>(because of an additional jump to PVEFW-Accept). 

Do you think the overhead is big ?
I can work on an optimisation to only replace ACCEPT when ips is enabled



>>Besides, I cannot see that this patch replaces all ACCEPT actions, for example: 
>>
>>--------------- 
>>sub ruleset_generate_vm_rules { 
>>... 

>>if ($direction eq 'OUT') { 
>>... 
>>} else { 
>>ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); 
>>} 
>>
>>} 
>>---------------- 
>>
>>So that generates normal ACCEPT? 

Oh, I didn't see that we have accept in PVEFW-reject and 'PVEFW-Drop

    'PVEFW-Reject' => [
        # ACCEPT critical ICMP types
        { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
        { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
    ],

    'PVEFW-Drop' => [
        # ACCEPT critical ICMP types
        { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
        { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
    ],

I don't known, but if they are critical, maybe can we bypass the ips ?



last question, do you think I need to add  PVEFW-Accept for host default rules? (as they are mainly  inter-cluster rules)

sub enable_host_firewall {


    ruleset_addrule($ruleset, $chain, "-i lo -j PVEFW-Accept");
    ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j PVEFW-Accept");
    ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j PVEFW-Accept");
    ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j PVEFW-Accept");  #corosync
}

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mardi 18 Mars 2014 06:32:26 
Objet: RE: [pve-devel] [PATCH] add ips feature v3 

> this create a new chain PVEFW-Accept 

You use this chain unconditionally, so we slow down things when the IPS is not active. 
(because of an additional jump to PVEFW-Accept). 

Besides, I cannot see that this patch replaces all ACCEPT actions, for example: 

--------------- 
sub ruleset_generate_vm_rules { 
... 

if ($direction eq 'OUT') { 
... 
} else { 
ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); 
} 

} 
---------------- 

So that generates normal ACCEPT?

More information about the pve-devel mailing list