[pve-devel] venet firewall broken?

Dietmar Maurer dietmar at proxmox.com
Mon May 12 11:57:02 CEST 2014 

sigh - sorry. I forgot to commit that change!

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f217d40..4cefc41 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2569,7 +2569,6 @@ sub compile {
 
     ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
     ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT");
-    ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-o venet0 -j PVEFW-VENET-IN");
 
     ruleset_create_chain($ruleset, "PVEFW-VENET-IN");
     ruleset_chain_add_input_filters($ruleset, "PVEFW-VENET-IN", $hostfw_options);
@@ -2582,6 +2581,8 @@ sub compile {
 
     enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf) if $hostfw_enable;
 
+    ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-o venet0 -j PVEFW-VENET-IN");
+
     # generate firewall rules for QEMU VMs
     foreach my $vmid (keys %{$vmdata->{qemu}}) {
        my $conf = $vmdata->{qemu}->{$vmid};


> -----Original Message-----
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com]
> Sent: Montag, 12. Mai 2014 11:54
> To: Dietmar Maurer
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: [pve-devel] venet firewall broken?
> 
> host->venet0
> ------------
> 
> currently
> ---------
> -A OUTPUT -j PVEFW-OUTPUT
> -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN
>                                          ---->we do accept here, so bypass host rule -A PVEFW-
> OUTPUT -j PVEFW-HOST-OUT
>          ....
> 	-A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN
> 	-A PVEFW-HOST-OUT -j RETURN
> 
> 
> it should be
> ------------
> -A OUTPUT -j PVEFW-OUTPUT
> -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
> 	-A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN
> 	-A PVEFW-HOST-OUT -j RETURN
> 
> -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN
> 
> 
> 
> 
> 
> venet0->host
> ------------
> 
> currently
> ---------
> -A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT
>                            --->we set a mark here and return -A PVEFW-INPUT -j PVEFW-
> HOST-IN
>       -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j RETURN      >> it should be
> accept
> 
> 
> it should be
> -------------
> -A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT
>                            --->we set a mark here and return -A PVEFW-INPUT -j PVEFW-
> HOST-IN
>       -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j ACCEPT
> 
> 
> 
> I'll do more tests
> 
> ----- Mail original -----
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com>
> À: "Dietmar Maurer" <dietmar at proxmox.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Lundi 12 Mai 2014 11:29:25
> Objet: Re: [pve-devel] venet firewall broken?
> 
> Ok, seem to works fine,
> 
> tap->tap
> tap->host
> host->tap
> tap->vnet0
> vnet0->tap
> 
> 
> except
> 
> vnet0->host
> host->vnet0
> 
> I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0...
> this is strange. (I need to do more tests)
> 
> does it work for you ?
> 
> 
> 
> 
> 
> also, I think in we can do ACCEPT in tap-out and veth-out chains
> 
> 
> before
> ------
> -A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
> -A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -g PVEFW-SET-ACCEPT-MARK
> -A tap123i0-OUT -j GROUP-group1-OUT
> -A tap123i0-OUT -m mark --mark 0x1 -j RETURN
> 
> after
> -----
> -A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
> -A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A tap123i0-OUT -j GROUP-group1-OUT
> -A tap123i0-OUT -m mark --mark 0x1 -j ACCEPT
> 
> 
> (if not, we'll parse all tap-out rules, extra overhead for nothing)
> 
> 
> ----- Mail original -----
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com>
> À: "Dietmar Maurer" <dietmar at proxmox.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Lundi 12 Mai 2014 10:30:41
> Objet: Re: [pve-devel] venet firewall broken?
> 
> Ok thanks !
> 
> 
> >>Please can you review them? If you think we can go that way, please add
> >>add 'Signed-off-by' line and cleanup the commit messages (remove 'based
> on
> >>patch from Alexandre' note)
> 
> This is my first review ;) I'll try to do it cleanly
> 
> ----- Mail original -----
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Lundi 12 Mai 2014 10:21:51
> Objet: RE: venet firewall broken?
> 
> > >>Which is obviously wrong. So why do you want to keep that patch?
> >
> > Yes,I think you are right, we can revert that patch.
> 
> I sent a rework to the list. Those patches apply on top of:
> 
> commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e
> Author: Dietmar Maurer <dietmar at proxmox.com>
> Date: Tue May 6 11:18:25 2014 +0200
> 
> set RELEASE to 3.2
> 
> Please can you review them? If you think we can go that way, please add
> add 'Signed-off-by' line and cleanup the commit messages (remove 'based
> on
> patch from Alexandre' note)
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list