[pve-devel] [RFC firewall 0/8] rebased ebtables patches

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Mar 29 08:27:17 CEST 2018


> On March 28, 2018 at 5:44 PM Alexandre DERUMIER <aderumier at odiso.com> wrote:
> >>While on the one hand I'd like to move to nftables,
> 
> I don't have check nftables since a long time, does it have all we need now ?

It _can_ do the job, but IIRC not yet as efficiently as I was hoping (some
things can be "worked around"). Although it's been a few weeks & kernel versions
again since I last checked (now with 4.15 around it's worth another look actually).

> >> and on the other 
> >>hand I like the idea of attaching xdp programs to interfaces for the 
> >>purpose of eg. MAC filtering,
> !!great ! could be usefull to ddos attack too. (like the blacklist ipset for example, but at nic level)

Downside was in my tests that it only worked properly on the 4.15 kernel.
nftables has device chains as well which can be used for that purpose which would
be a bit more mature by now. But for now, ebtables is the most mature & tested
option, which is why I wanted to resurrect this patch set.

> I'll try to test the patches soon, but I'll be for 2weeks on holiday until 15th April

Have a good time.



More information about the pve-devel mailing list