[pve-devel] [RFC firewall 0/8] rebased ebtables patches
Alexandre DERUMIER
aderumier at odiso.com
Wed Mar 28 17:44:06 CEST 2018
>>While on the one hand I'd like to move to nftables,
I don't have check nftables since a long time, does it have all we need now ?
>> and on the other
>>hand I like the idea of attaching xdp programs to interfaces for the
>>purpose of eg. MAC filtering,
!!great ! could be usefull to ddos attack too. (like the blacklist ipset for example, but at nic level)
>>@Alexandre, @Stefan Priebe:
>>if you're still using the patches it might be good to
>>compare/check/update, not sure if you kept rebasing them?
Currently, no, sorry. I don't use yet firewall in production. (but I'm planning to deploy it this summer)
I'll try to test the patches soon, but I'll be for 2weeks on holiday until 15th April
Regards,
Alexandre
----- Mail original -----
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Cc: "Alexandre Derumier" <aderumier at odiso.com>, "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag>
Envoyé: Mercredi 28 Mars 2018 10:53:23
Objet: [RFC firewall 0/8] rebased ebtables patches
While on the one hand I'd like to move to nftables, and on the other
hand I like the idea of attaching xdp programs to interfaces for the
purpose of eg. MAC filtering, we do still have this patch series around
which wasn't much work to rebase to the current code base and does its
job...
Back when the series was originally posted the issue was mostly the lack
of a (proper) ebtables package (missing ebtables-save/restore). We don't
have this problem anymore, so why not give this a go?
The changes I made to the patches I took off the list should be rather
obvious: openvz -> lxc, and replcing the hardcoded ethertype list with
reading /etc/ethertypes (which gets shipped with the ebtables package).
Some whitespace cleanup and I renamed 'layer2filter_protocols' to just
'layer2_protocols' (and avoided the generation of `-j DROP` followed by
`-j ACCEPT`).
(Oh and, patch 4 is actually unrelated, I just came across that while
adding the ethertypes file parsing...)
@Alexandre, @Stefan Priebe:
if you're still using the patches it might be good to
compare/check/update, not sure if you kept rebasing them?
Alexandre Derumier (2):
compile ebtables rules
apply ebtables_ruleset
Wolfgang Bumiller (6):
split parser out of get_etc_protocols
parse_protocol_file: support lines without end comments
add get_etc_ethertypes
/etc/services can also define 'sctp' services
avoid double spaces in ruleset_addrule
add ebtables dependency
debian/control | 3 +-
debian/example/100.fw | 3 +
src/PVE/Firewall.pm | 240 +++++++++++++++++++++++++++++++++++++---
src/PVE/Service/pve_firewall.pm | 14 ++-
4 files changed, 241 insertions(+), 19 deletions(-)
--
2.11.0
More information about the pve-devel
mailing list