[pve-devel] firewall simulator

Dietmar Maurer dietmar at proxmox.com
Wed May 14 12:28:47 CEST 2014


Hi Alexandre,

I improved the simulator to simulate the kernel behavior more closely.

For example the following test:

{ from => 'vm101', to => 'vm100', dport => 443, action => 'ACCEPT', id => 'vm2vm'}

produce this trace (note: I also improved the fwtester.pl command line options):

--------------------------------------
pve-firewall/tests# ./fwtester.pl -d test-basic1/tests vm2vm
... (ruleset)
IPT check at fwbr-out (chain PVEFW-FORWARD)
$VAR1 = {
          'mac_source' => '0E:0B:38:B8:B3:22',
          'source' => '10.11.12.13',
          'proto' => 'tcp',
          'dest' => '10.11.12.14',
          'iface_in' => 'fwbr101i0',
          'dport' => 443,
          'iface_out' => 'fwbr101i0',
          'physdev_in' => 'tap101i0',
          'physdev_out' => 'fwln101i0',
          'sport' => '1234',
          'id' => 'vm2vm'
        };
ENTER chain PVEFW-FORWARD
SKIP: -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
SKIP: -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
SKIP: -A PVEFW-FORWARD -i venet0 -j PVEFW-VENET-OUT
SKIP: -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
MATCH: -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
ENTER chain PVEFW-FWBR-OUT
SKIP: -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
LEAVE chain PVEFW-FWBR-OUT
CONTINUE chain PVEFW-FORWARD
SKIP: -A PVEFW-FORWARD -o venet0 -j PVEFW-VENET-IN
LEAVE chain PVEFW-FORWARD
IPT check at vmbr0 (chain PVEFW-FORWARD)
$VAR1 = {
          'mac_source' => '0E:0B:38:B8:B3:22',
          'source' => '10.11.12.13',
          'proto' => 'tcp',
          'dest' => '10.11.12.14',
          'iface_in' => 'vmbr0',
          'dport' => 443,
          'iface_out' => 'vmbr0',
          'physdev_in' => 'fwpr101p0',
          'physdev_out' => 'fwpr100p0',
          'sport' => '1234',
          'id' => 'vm2vm'
        };
ENTER chain PVEFW-FORWARD
SKIP: -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
SKIP: -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
SKIP: -A PVEFW-FORWARD -i venet0 -j PVEFW-VENET-OUT
SKIP: -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
SKIP: -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
SKIP: -A PVEFW-FORWARD -o venet0 -j PVEFW-VENET-IN
LEAVE chain PVEFW-FORWARD
IPT check at fwbr-in (chain PVEFW-FORWARD)
$VAR1 = {
          'mac_source' => '0E:0B:38:B8:B3:22',
          'source' => '10.11.12.13',
          'proto' => 'tcp',
          'dest' => '10.11.12.14',
          'iface_in' => 'fwbr100i0',
          'dport' => 443,
          'iface_out' => 'fwbr100i0',
          'physdev_in' => 'fwln100i0',
          'physdev_out' => 'tap100i0',
          'sport' => '1234',
          'id' => 'vm2vm'
        };
ENTER chain PVEFW-FORWARD
SKIP: -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
SKIP: -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
SKIP: -A PVEFW-FORWARD -i venet0 -j PVEFW-VENET-OUT
MATCH: -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
ENTER chain PVEFW-FWBR-IN
SKIP: -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
MATCH: -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
ENTER chain tap100i0-IN
SKIP: -A tap100i0-IN -p udp --dport 68 --sport 67 -j ACCEPT
MATCH: -A tap100i0-IN -p tcp --dport 443 -j ACCEPT
TERMINATE chain tap100i0-IN: ACCEPT
PASS: test-basic1/tests
OK - all tests passed
--------------------------------------

So you can see 3 netfilter checks (IPT check). 

I am not 100% sure if the code always produce the same checks as a real kernel -  that needs more testing.
 
What do you think?





More information about the pve-devel mailing list