[pve-devel] pve-firewall / current git master
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Mon Feb 6 11:25:44 CET 2017
Hi,
after upgrading my test cluster to latest git versions from 4.3. I've no
working firewall rules anymore. All chains contain an ACCEPT rule. But
i'm not sure whether this was also the case with 4.3. But it breaks the
rules.
The chains is this one:
# iptables -L tap137i0-IN -vnx
Chain tap137i0-IN (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 match-set PVEFW-0-officeips-v4 src tcp dpt:443
1 52 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 match-set PVEFW-0-ph-networks-v4 src tcp dpt:22
66 3040 GROUP-ph_default_group-IN all -- * *
0.0.0.0/0 0.0.0.0/0
33 1716 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 mark match 0x80000000/0x80000000
0 0 PVEFW-Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all -- * * 0.0.0.0/0
0.0.0.0/0 /* PVESIG:zR5Xk5kxEPWmHBeoIDiNXxCERrg */
But all packets get accepted by:
33 1716 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 mark match 0x80000000/0x80000000
what is this?
Greets,
Stefan
More information about the pve-devel
mailing list