[pve-devel] venet firewall broken?
Alexandre DERUMIER
aderumier at odiso.com
Mon May 12 09:29:59 CEST 2014
>>I am currently working on a rebase, just to find out what we really need. I will also send the result to the list.
Ok, on my side, I was thinking about something like
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -i fwbr+ -j PVEFW-FORWARD-FW
-A PVEFW-FORWARD -j MARK --set-mark 0
-A PVEFW-FORWARD -i venet0 -o venet0 -m set --match-set PVEFW-venet0 src,dst -j MARK --set-mark 1 >>set a mark from vnet0->vnet0 firewalled
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-venet0 dst -j PVEFW-FORWARD-VENET
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j PVEFW-FORWARD-VENET
-A PVEFW-FORWARD-FW -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD-FW -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD-FW -m physdev --physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD-FW -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD-FW -j ACCEPT
-A PVEFW-FORWARD-VENET -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD-VENET -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD-VENET -i venet0 -m set --match-set PVEFW-venet0 src -j PVEFW-VENET-OUT
-A venet0-130-OUT -p tcp -m tcp --dport 22 -g PVEFW-ACCEPT-MARK
-A PVEFW-FORWARD-VENET -o venet0 -m set --match-set PVEFW-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-FORWARD-VENET -j ACCEPT
and in PVEFW-ACCEPT-MARK
-A PVEFW-ACCEPT-MARK -m mark --mark 1 -j PVEFW-VENET-IN
-A PVEFW-ACCEPT-MARK -j ACCEPT
(group-in rules also go to PVEFW-ACCEPT-MARK)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 08:46:06
Objet: RE: [pve-devel] venet firewall broken?
> I'll work all the day on it,
>
> I'm pretty sure it can be solved without revert all the work.
I am currently working on a rebase, just to find out what we really need. I will also send the result to the list.
More information about the pve-devel
mailing list