[pve-devel] venet firewall broken?
Alexandre DERUMIER
aderumier at odiso.com
Mon May 12 06:25:24 CEST 2014
>>Yes, we also want to filter container to container traffic.
Previously, we had a rule
- # always allow traffic from containers?
- ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN");
so, it wasn't work at all before ?
I see this iptables traffic:
FORWARD: IN=venet0 OUT=venet0 SRC=10.3.94.204 DST=10.3.94.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=25368 PROTO=ICMP TYPE=0 CODE=0 ID=1751 SEQ=1
Maybe with some magic routing rule, is it possible to split to have to lines.
I'll check that today.
>>We should really have some regression tests, but I do not know a tool to simulate
>>iptables? We can write a simple simulator ourselves, but that is much work :-/
Don't known too. I'll ask to my coworkers today.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 06:16:37
Objet: RE: venet firewall broken?
> container to container ?
>
> venet0->venet0 ?
>
Yes, we also want to filter container to container traffic.
> Damn, I don't have tested this case.
We should really have some regression tests, but I do not know a tool to simulate
iptables? We can write a simple simulator ourselves, but that is much work :-/
More information about the pve-devel
mailing list