[pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges
Alexandre DERUMIER
aderumier at odiso.com
Fri May 9 16:17:38 CEST 2014
better with your PVEFW-VENET-IN|PVEFW-VENET-OU (less lookup for vnet0 interfaces if we have a lot of tap interfaces too)
-A FORWARD -i fwbr+ -j PVEFW-FORWARD
-A FORWARD -i vnet0 -m set --match-set PVEFW-vnet0ipset src -j PVEFW-FORWARD
-A FORWARD -o vnet0 -m set --match-set PVEFW-vnet0ipset dst -j PVEFW-FORWARD
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN
-A PVEFW-FORWARD -o vnet0 -j PVEFW-VENET-IN
-A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -o venet0 -d 192.168.3.104 -j venet0-104-OUT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT
-A PVEFW-FORWARD -i vnet0 -j PVEFW-VENET-OUT
-A PVEFW-VENET-OUT -i venet0 -s 192.168.3.104 -j venet0-104-OUT
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Vendredi 9 Mai 2014 15:55:26
Objet: Re: [pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges
I was thinking about something like
-A FORWARD -i fwbr+ -j PVEFW-FORWARD
-A FORWARD -i vnet0 -m set --match-set PVEFW-vnet0ipset src -j PVEFW-FORWARD
-A FORWARD -o vnet0 -m set --match-set PVEFW-vnet0ipset dst -j PVEFW-FORWARD
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -o vnet0 -j PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN
-A PVEFW-FWBR-IN -o venet0 -d 192.168.3.104 -j venet0-104-OUT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -i vnet0 -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT
-A PVEFW-FWBR-OUT -i venet0 -s 192.168.3.104 -j venet0-104-OUT
what do you think about it ?
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Vendredi 9 Mai 2014 13:29:12
Objet: RE: [pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges
> >>This does not work, because it accepts traffic from venet0!
>
> Ok, I'll check that.
But seems to work perfectly without that. Maybe we should add another chains for venet related
traffic:
PVEFW-VENET-IN
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-VENET-IN -i venet0 -s 192.168.3.104 -j venet0-104-OUT
PVEFW-VENET-OUT
...
what do you think?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list