[pve-devel] venet firewall broken?
Alexandre DERUMIER
aderumier at odiso.com
Mon May 12 12:04:20 CEST 2014
Ok, thanks, I'll test it this afternoon
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 12:02:43
Objet: RE: [pve-devel] venet firewall broken?
sent an updated version (only patch 7/7 changed):
[mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains
> -----Original Message-----
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com]
> Sent: Montag, 12. Mai 2014 11:54
> To: Dietmar Maurer
> Cc: pve-devel at pve.proxmox.com
> Subject: Re: [pve-devel] venet firewall broken?
>
> host->venet0
> ------------
>
> currently
> ---------
> -A OUTPUT -j PVEFW-OUTPUT
> -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN
> ---->we do accept here, so bypass host rule -A PVEFW-
> OUTPUT -j PVEFW-HOST-OUT
> ....
> -A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN
> -A PVEFW-HOST-OUT -j RETURN
>
>
> it should be
> ------------
> -A OUTPUT -j PVEFW-OUTPUT
> -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
> -A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN
> -A PVEFW-HOST-OUT -j RETURN
>
> -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN
>
>
>
>
>
> venet0->host
> ------------
>
> currently
> ---------
> -A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT
> --->we set a mark here and return -A PVEFW-INPUT -j PVEFW-
> HOST-IN
> -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j RETURN >> it should be
> accept
>
>
> it should be
> -------------
> -A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT
> --->we set a mark here and return -A PVEFW-INPUT -j PVEFW-
> HOST-IN
> -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j ACCEPT
>
>
>
> I'll do more tests
>
> ----- Mail original -----
>
> De: "Alexandre DERUMIER" <aderumier at odiso.com>
> À: "Dietmar Maurer" <dietmar at proxmox.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Lundi 12 Mai 2014 11:29:25
> Objet: Re: [pve-devel] venet firewall broken?
>
> Ok, seem to works fine,
>
> tap->tap
> tap->host
> host->tap
> tap->vnet0
> vnet0->tap
>
>
> except
>
> vnet0->host
> host->vnet0
>
> I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0...
> this is strange. (I need to do more tests)
>
> does it work for you ?
>
>
>
>
>
> also, I think in we can do ACCEPT in tap-out and veth-out chains
>
>
> before
> ------
> -A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
> -A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -g PVEFW-SET-ACCEPT-MARK
> -A tap123i0-OUT -j GROUP-group1-OUT
> -A tap123i0-OUT -m mark --mark 0x1 -j RETURN
>
> after
> -----
> -A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff
> -A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A tap123i0-OUT -j GROUP-group1-OUT
> -A tap123i0-OUT -m mark --mark 0x1 -j ACCEPT
>
>
> (if not, we'll parse all tap-out rules, extra overhead for nothing)
>
>
> ----- Mail original -----
>
> De: "Alexandre DERUMIER" <aderumier at odiso.com>
> À: "Dietmar Maurer" <dietmar at proxmox.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Lundi 12 Mai 2014 10:30:41
> Objet: Re: [pve-devel] venet firewall broken?
>
> Ok thanks !
>
>
> >>Please can you review them? If you think we can go that way, please add
> >>add 'Signed-off-by' line and cleanup the commit messages (remove 'based
> on
> >>patch from Alexandre' note)
>
> This is my first review ;) I'll try to do it cleanly
>
> ----- Mail original -----
>
> De: "Dietmar Maurer" <dietmar at proxmox.com>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Lundi 12 Mai 2014 10:21:51
> Objet: RE: venet firewall broken?
>
> > >>Which is obviously wrong. So why do you want to keep that patch?
> >
> > Yes,I think you are right, we can revert that patch.
>
> I sent a rework to the list. Those patches apply on top of:
>
> commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e
> Author: Dietmar Maurer <dietmar at proxmox.com>
> Date: Tue May 6 11:18:25 2014 +0200
>
> set RELEASE to 3.2
>
> Please can you review them? If you think we can go that way, please add
> add 'Signed-off-by' line and cleanup the commit messages (remove 'based
> on
> patch from Alexandre' note)
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list