[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces
Dietmar Maurer
dietmar at proxmox.com
Wed May 14 14:38:31 CEST 2014
> >>But I guess that does not work due to physdev match limitation :-/
>
> oh, ok.
The following works for me with fwtester:
# ./fwtester.pl -d test-basic1/tests vm2vm
IPT statistics: invocation = 3, checks = 33
When in add:
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -o vmbr+ -m physdev --physdev-is-bridged --physdev-out fwpr+ -j RETURN
# ./fwtester.pl -d test-basic1/tests vm2vm
IPT statistics: invocation = 3, checks = 30
So I guess we do not gain much here?
> maybe, to bypass firewall, can we simply move first rules from PVE-
> FORWARD to PVEFW-FWBR-IN|OUT,PVEFW-VENET-IN|OUT ?
>
>
>
> -A FORWARD -j PVEFW-FORWARD
>
> -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j
> PVEFW-VENET-OUT >>ipset to match only firewall vnet0
> -A PVEFW-VENET-OUT -m conntrack --ctstate INVALID -j DROP
> -A PVEFW-VENET-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
>
> -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j
> PVEFW-FWBR-IN
> -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID -j DROP
> -A PVEFW-FWBR-IN -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
> -A PVEFW-FWBR-IN -m set --match-set PVEFW-blacklist src -j DROP
>
> -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged
> -j PVEFW-FWBR-OUT
> -A PVEFW-FWBR-OUT -m conntrack --ctstate INVALID -j DROP
> -A PVEFW-FWBR-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
We just moved them the opposite direction?
> -A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-venet0 dst -j
> PVEFW-VENET-IN
> -A PVEFW-VENET-IN -m conntrack --ctstate INVALID -j DROP
> -A PVEFW-VENET-IN -m conntrack --ctstate RELATED,ESTABLISHED -j
> ACCEPT
> -A PVEFW-FORWARD -m set --match-set PVEFW-blacklist src -j DROP
>
already committed.
More information about the pve-devel
mailing list