[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces

Alexandre DERUMIER aderumier at odiso.com
Wed May 14 15:47:34 CEST 2014 

>>When in add:
>>
>> -A FORWARD -j PVEFW-FORWARD
>> -A  PVEFW-FORWARD -o vmbr+ -m physdev --physdev-is-bridged --physdev-out fwpr+ -j RETURN
>>
>># ./fwtester.pl -d test-basic1/tests vm2vm
>>IPT statistics: invocation = 3, checks = 30

>>So I guess we do not gain much here?

Not too much gain indeed,
an unfirewalled traffic will do


 -A FORWARD -j PVEFW-FORWARD 

   -A PVEFW-FORWARD -i venet0  -j PVEFW-VENET-OUT
   -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
   -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT 
   -A PVEFW-FORWARD -o venet0  -j PVEFW-VENET-IN
 -A ACCEPT


so 4 rules for unfirewalled veth|tap traffic.
for unfirewalled venet0 traffic, we enter PVEFW-VENET-OUT|IN, so I would like to find a way to bypass it


also,

I don't known if we want to keep 
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
for non firewalled vms ?

(do we want to conntrack non firewalled vms ? can improve performance, but in case of firewall attack (synflood for example),
if conntrack if full, this will impact non firewalled vms)



>>> maybe, to bypass firewall, can we simply move first rules from PVE- 
>>> FORWARD to PVEFW-FWBR-IN|OUT,PVEFW-VENET-IN|OUT ? 
>>> 
>>> 
>>> 
>>> -A FORWARD -j PVEFW-FORWARD 
> 
>>
>>> -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j 
>>> PVEFW-VENET-OUT >>ipset to match only firewall vnet0 
>>> -A PVEFW-VENET-OUT -m conntrack --ctstate INVALID -j DROP 
>>> -A PVEFW-VENET-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j 
>>> ACCEPT 
> 
>>> -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j 
> PVEFW-FWBR-IN 
>>> -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID -j DROP 
>>> -A PVEFW-FWBR-IN -m conntrack --ctstate RELATED,ESTABLISHED -j 
>>> ACCEPT 
>>> -A PVEFW-FWBR-IN -m set --match-set PVEFW-blacklist src -j DROP 
>>> 
>>> -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged 
>>> -j PVEFW-FWBR-OUT 
>>> -A PVEFW-FWBR-OUT -m conntrack --ctstate INVALID -j DROP 
>>> -A PVEFW-FWBR-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j 
>>> ACCEPT 


>>We just moved them the opposite direction? 

What do you mean by opposite direction ?




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 14 Mai 2014 14:38:31 
Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces 

> >>But I guess that does not work due to physdev match limitation :-/ 
> 
> oh, ok. 

The following works for me with fwtester: 

# ./fwtester.pl -d test-basic1/tests vm2vm 
IPT statistics: invocation = 3, checks = 33 

When in add: 

-A FORWARD -j PVEFW-FORWARD 
-A PVEFW-FORWARD -o vmbr+ -m physdev --physdev-is-bridged --physdev-out fwpr+ -j RETURN 

# ./fwtester.pl -d test-basic1/tests vm2vm 
IPT statistics: invocation = 3, checks = 30 

So I guess we do not gain much here? 

> maybe, to bypass firewall, can we simply move first rules from PVE- 
> FORWARD to PVEFW-FWBR-IN|OUT,PVEFW-VENET-IN|OUT ? 
> 
> 
> 
> -A FORWARD -j PVEFW-FORWARD 
> 
> -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j 
> PVEFW-VENET-OUT >>ipset to match only firewall vnet0 
> -A PVEFW-VENET-OUT -m conntrack --ctstate INVALID -j DROP 
> -A PVEFW-VENET-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT 
> 
> -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j 
> PVEFW-FWBR-IN 
> -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID -j DROP 
> -A PVEFW-FWBR-IN -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT 
> -A PVEFW-FWBR-IN -m set --match-set PVEFW-blacklist src -j DROP 
> 
> -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged 
> -j PVEFW-FWBR-OUT 
> -A PVEFW-FWBR-OUT -m conntrack --ctstate INVALID -j DROP 
> -A PVEFW-FWBR-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT 


We just moved them the opposite direction? 

> -A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-venet0 dst -j 
> PVEFW-VENET-IN 
> -A PVEFW-VENET-IN -m conntrack --ctstate INVALID -j DROP 
> -A PVEFW-VENET-IN -m conntrack --ctstate RELATED,ESTABLISHED -j 
> ACCEPT 
> -A PVEFW-FORWARD -m set --match-set PVEFW-blacklist src -j DROP 
> 

already committed.

More information about the pve-devel mailing list