[pve-devel] venet firewall broken?

Mon May 12 07:08:41 CEST 2014

> >>Yes, we also want to filter container to container traffic.
> 
> Previously, we had a rule
> 
> -    # always allow traffic from containers?
> -    ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN");
> 
> so, it wasn't work at all before ?

Here is what we produced previously:

PVEFW-FORWARD (JRo5BSic0aO5zPRf9m6h7QUC+BM)
	-A PVEFW-FORWARD -i venet0 -s 192.168.3.104 -j venet0-104-OUT
	-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-out -j vmbr0-FW
	-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-in -j vmbr0-FW
	-A PVEFW-FORWARD -o venet0 -d 192.168.3.104 -j venet0-104-IN
	-A PVEFW-FORWARD -i venet0 -j RETURN

So that rule is just to accept traffic to non-firewalled containers.