[pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2

Alexandre DERUMIER aderumier at odiso.com
Tue May 13 07:52:40 CEST 2014 

>>I don't understand the problem. Why does this produce different output that original code? 

I found 2 bugs:

1)PVEFW-IPS chain was empty, because we test it before rule generation.


2)but also, it missing an accept at the end of PVEFW-IPS chain


> - my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : 
> "ACCEPT"

current code:
-------------
if PVEFW-IPS not exists:

-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

if PVEFW-IPS exists:

-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS
     -A PVEFW-IPS -m physdev --physdev-out tap123i0 --physdev-is-bridged -j NFQUEUE

(bug: so we don't accept for non ips established)


Correct way
------------
-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS
     -A PVEFW-IPS -m physdev --physdev-out tap123i0 --physdev-is-bridged -j NFQUEUE
     -j ACCEPT




I see that you use an new ruleset_chain_add_conn_filters() sub,

but I need to insert (not add), the -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS

that's why my patch do:

-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS
            -A PVEFW-IPS -m physdev --physdev-out tap123i0 --physdev-is-bridged -j NFQUEUE
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT





----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mardi 13 Mai 2014 07:25:31 
Objet: RE: [pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2 

I don't understand the problem. Why does this produce different output that original code? 

> -----Original Message----- 
> From: pve-devel [mailto:pve-devel-bounces at pve.proxmox.com] On Behalf 
> Of Alexandre Derumier 
> Sent: Montag, 12. Mai 2014 15:19 
> To: pve-devel at pve.proxmox.com 
> Subject: [pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2 
> 
> or it never match it 
> 
> Signed-off-by: Alexandre Derumier <aderumier at odiso.com> 
> --- 
> src/PVE/Firewall.pm | 7 +++++-- 
> 1 file changed, 5 insertions(+), 2 deletions(-) 
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 
> 4cefc41..41494c6 100644 
> --- a/src/PVE/Firewall.pm 
> +++ b/src/PVE/Firewall.pm 
> @@ -2550,8 +2550,7 @@ sub compile { 
> # fixme: what log level should we use here? 
> my $loglevel = get_option_log_level($hostfw_options, "log_level_out"); 
> 
> - my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : 
> "ACCEPT"; 
> - ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $accept); 
> + ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", 
> + "ACCEPT"); 
> 
> if ($cluster_conf->{ipset}->{blacklist}){ 
> ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, 
> "-m set --match-set PVEFW-blacklist src"); @@ -2633,6 +2632,10 @@ sub 
> compile { 
> } 
> } 
> 
> + if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){ 
> + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack -- 
> ctstate RELATED,ESTABLISHED -j PVEFW-IPS"); 
> + } 
> + 
> return ($ruleset, $ipset_ruleset); 
> } 
> 
> -- 
> 1.7.10.4 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list