[pve-devel] venet firewall broken?

Alexandre DERUMIER aderumier at odiso.com
Mon May 12 11:29:25 CEST 2014


Ok, seem to works fine,

tap->tap
tap->host
host->tap
tap->vnet0
vnet0->tap


except

vnet0->host
host->vnet0

I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0...
this is strange. (I need to do more tests)

does it work for you ?





also, I think in we can do ACCEPT in tap-out and veth-out chains


before
------
-A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -g PVEFW-SET-ACCEPT-MARK
-A tap123i0-OUT -j GROUP-group1-OUT
-A tap123i0-OUT -m mark --mark 0x1 -j RETURN

after
-----
-A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A tap123i0-OUT -j GROUP-group1-OUT
-A tap123i0-OUT -m mark --mark 0x1 -j ACCEPT


(if not, we'll parse all tap-out rules, extra overhead for nothing)


----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 12 Mai 2014 10:30:41 
Objet: Re: [pve-devel] venet firewall broken? 

Ok thanks ! 


>>Please can you review them? If you think we can go that way, please add 
>>add 'Signed-off-by' line and cleanup the commit messages (remove 'based on 
>>patch from Alexandre' note) 

This is my first review ;) I'll try to do it cleanly 

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 12 Mai 2014 10:21:51 
Objet: RE: venet firewall broken? 

> >>Which is obviously wrong. So why do you want to keep that patch? 
> 
> Yes,I think you are right, we can revert that patch. 

I sent a rework to the list. Those patches apply on top of: 

commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e 
Author: Dietmar Maurer <dietmar at proxmox.com> 
Date: Tue May 6 11:18:25 2014 +0200 

set RELEASE to 3.2 

Please can you review them? If you think we can go that way, please add 
add 'Signed-off-by' line and cleanup the commit messages (remove 'based on 
patch from Alexandre' note) 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list