[pve-devel] pve-common : linux bridge and ovs new modelimplementation v2
Alexandre DERUMIER
aderumier at odiso.com
Fri May 2 04:02:34 CEST 2014
"As to filtering it coming in, it might be possible to prevent VMs/CTs from seeing the Proxmox multicast data by simply preventing it from being forwarded to those interfaces"
It's also possible to enable igmp snooping on linux briges ;) , it's enabled by default.
----- Mail original -----
De: "Cesar Peschiera" <brain at click.com.py>
À: pve-devel at pve.proxmox.com
Envoyé: Jeudi 1 Mai 2014 23:29:07
Objet: Re: [pve-devel] pve-common : linux bridge and ovs new modelimplementation v2
snif, snif, snif
ok, many thanks for the clarification
----- Original Message -----
From: Daniel Hunsaker
To: Cesar Peschiera
Cc: pve-devel at pve.proxmox.com
Sent: Thursday, May 01, 2014 5:14 PM
Subject: Re: [pve-devel] pve-common : linux bridge and ovs new modelimplementation v2
Multicast doesn't have destination IPs to filter by, so multicast traffic leaving a node can't be filtered that way by the node. As to filtering it coming in, it might be possible to prevent VMs/CTs from seeing the Proxmox multicast data by simply preventing it from being forwarded to those interfaces. But you'll still have the multicast across your LAN either way, because that's how multicast works.
On May 1, 2014 1:52 PM, "Cesar Peschiera" < brain at click.com.py > wrote:
<blockquote>
<blockquote>
It's not possible with a firewall to say only send multicast traffic to a specific host.
(or it's not multicast anymore ;)
But, i think that is possible, while PVE is transmitting in mode multicast by ports UDP 5404 and 5405, the firewall can drop the packets for all except for the IP addresses that are the PVE Nodes.
A example in iptables (we know that the order of the rules is important for get this target):
iptables -A OUTPUT -o <a-IP-address-of-PVE-Node> -p udp -m multiport --ports 5404,5405 -j ACCEPT
iptables -A OUTPUT -o <other-IP-address-of-Other- PVE-Node> -p udp -m multiport --ports 5404,5405 -j ACCEPT
#And finally the magic rule:
iptables -A OUTPUT -p udp -m multiport --ports 5404,5405 -j DROP
i see it very simple, or i am missing of something?
______________________________ _________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi- bin/mailman/listinfo/pve-devel
</blockquote>
</blockquote>
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list