[pve-devel] venet firewall broken?
Alexandre DERUMIER
aderumier at odiso.com
Mon May 12 11:53:39 CEST 2014
host->venet0
------------
currently
---------
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN
---->we do accept here, so bypass host rule
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
....
-A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
it should be
------------
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN
venet0->host
------------
currently
---------
-A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT
--->we set a mark here and return
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j RETURN >> it should be accept
it should be
-------------
-A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT
--->we set a mark here and return
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j ACCEPT
I'll do more tests
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 11:29:25
Objet: Re: [pve-devel] venet firewall broken?
Ok, seem to works fine,
tap->tap
tap->host
host->tap
tap->vnet0
vnet0->tap
except
vnet0->host
host->vnet0
I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0...
this is strange. (I need to do more tests)
does it work for you ?
also, I think in we can do ACCEPT in tap-out and veth-out chains
before
------
-A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -g PVEFW-SET-ACCEPT-MARK
-A tap123i0-OUT -j GROUP-group1-OUT
-A tap123i0-OUT -m mark --mark 0x1 -j RETURN
after
-----
-A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A tap123i0-OUT -j GROUP-group1-OUT
-A tap123i0-OUT -m mark --mark 0x1 -j ACCEPT
(if not, we'll parse all tap-out rules, extra overhead for nothing)
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 10:30:41
Objet: Re: [pve-devel] venet firewall broken?
Ok thanks !
>>Please can you review them? If you think we can go that way, please add
>>add 'Signed-off-by' line and cleanup the commit messages (remove 'based on
>>patch from Alexandre' note)
This is my first review ;) I'll try to do it cleanly
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 10:21:51
Objet: RE: venet firewall broken?
> >>Which is obviously wrong. So why do you want to keep that patch?
>
> Yes,I think you are right, we can revert that patch.
I sent a rework to the list. Those patches apply on top of:
commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e
Author: Dietmar Maurer <dietmar at proxmox.com>
Date: Tue May 6 11:18:25 2014 +0200
set RELEASE to 3.2
Please can you review them? If you think we can go that way, please add
add 'Signed-off-by' line and cleanup the commit messages (remove 'based on
patch from Alexandre' note)
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list