[pve-devel] [RFC firewall 0/8] rebased ebtables patches

Alexandre DERUMIER aderumier at odiso.com
Wed Mar 28 17:44:06 CEST 2018 

>>While on the one hand I'd like to move to nftables,

I don't have check nftables since a long time, does it have all we need now ?

>> and on the other 
>>hand I like the idea of attaching xdp programs to interfaces for the 
>>purpose of eg. MAC filtering,
!!great ! could be usefull to ddos attack too. (like the blacklist ipset for example, but at nic level)



>>@Alexandre, @Stefan Priebe: 
>>if you're still using the patches it might be good to 
>>compare/check/update, not sure if you kept rebasing them? 

Currently, no, sorry. I don't use yet firewall in production. (but I'm planning to deploy it this summer)

I'll try to test the patches soon, but I'll be for 2weeks on holiday until 15th April

Regards,

Alexandre

----- Mail original -----
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Cc: "Alexandre Derumier" <aderumier at odiso.com>, "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag>
Envoyé: Mercredi 28 Mars 2018 10:53:23
Objet: [RFC firewall 0/8] rebased ebtables patches

While on the one hand I'd like to move to nftables, and on the other 
hand I like the idea of attaching xdp programs to interfaces for the 
purpose of eg. MAC filtering, we do still have this patch series around 
which wasn't much work to rebase to the current code base and does its 
job... 
Back when the series was originally posted the issue was mostly the lack 
of a (proper) ebtables package (missing ebtables-save/restore). We don't 
have this problem anymore, so why not give this a go? 

The changes I made to the patches I took off the list should be rather 
obvious: openvz -> lxc, and replcing the hardcoded ethertype list with 
reading /etc/ethertypes (which gets shipped with the ebtables package). 
Some whitespace cleanup and I renamed 'layer2filter_protocols' to just 
'layer2_protocols' (and avoided the generation of `-j DROP` followed by 
`-j ACCEPT`). 

(Oh and, patch 4 is actually unrelated, I just came across that while 
adding the ethertypes file parsing...) 

@Alexandre, @Stefan Priebe: 
if you're still using the patches it might be good to 
compare/check/update, not sure if you kept rebasing them? 

Alexandre Derumier (2): 
compile ebtables rules 
apply ebtables_ruleset 

Wolfgang Bumiller (6): 
split parser out of get_etc_protocols 
parse_protocol_file: support lines without end comments 
add get_etc_ethertypes 
/etc/services can also define 'sctp' services 
avoid double spaces in ruleset_addrule 
add ebtables dependency 

debian/control | 3 +- 
debian/example/100.fw | 3 + 
src/PVE/Firewall.pm | 240 +++++++++++++++++++++++++++++++++++++--- 
src/PVE/Service/pve_firewall.pm | 14 ++- 
4 files changed, 241 insertions(+), 19 deletions(-) 

-- 
2.11.0

More information about the pve-devel mailing list