[pve-devel] pve-firewall : nftables ?

Alexandre DERUMIER aderumier at odiso.com
Tue Nov 27 15:06:25 CET 2018


>>Wasn't nftables mostly iptables compatible? 

mostly :/


https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families


Deprecated extensions
---------------------

physdev
br_netfilter aims to be deprecated by nftables.

quota
nfacct already provides quota support.

tos
deprecated by dscp




----- Mail original -----
De: "Josef Johansson" <josef at oderland.se>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mardi 27 Novembre 2018 14:58:31
Objet: Re: [pve-devel] pve-firewall : nftables ?

On 11/27/18 2:55 PM, Wolfgang Bumiller wrote: 
> On Mon, Nov 26, 2018 at 09:00:47AM +0100, Alexandre DERUMIER wrote: 
>> Hi, 
>> 
>> I would like to known if somebody have already made some test with nftables recently ? 
>> 
>> Mainly, is not possible to use physdev direction, 
>> 
>> like: 
>> 
>> -A PVEFW-FWBR-OUT -m physdev --physdev-in tap160i1 --physdev-is-bridged -j tap160i1-OUT 
>> 
>> 
>> I wonder if a simple vmap like this could work: ? 
>> 
>> https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example 
>> 
>> 
>> chain forward { 
>> type filter hook forward priority 0; policy drop; 
>> jump global 
>> oifname vmap { $nic_dmz : jump dmz_in , $nic_lan : jump lan_in } 
>> oifname $nic_inet iifname vmap { $nic_dmz : jump dmz_out , $nic_lan : jump lan_out } 
>> } 
> The issue was that the regular filter forward table isn't really used 
> for bridged traffic (IIRC?), while the bridge filter forward table 
> doesn't have access to conntrack. There may be other ways (at some 
> point I marked packets in the netdev tables), but I haven't checked in 
> a while. 
> At least I haven't produced any kernel crashes in a while ;-D 
> 
> IIRC the issue with netdev tables on the other hand was that they'd have 
> to be created after a network device was created. Can't have them "wait 
> around" for the device. (Not a big deal, just needs a little more 
> callbacks in our interface creation code and lxc bridge hook.) I'd want 
> source mac & ip checks to be moved to those tables for outgoing 
> packets, they happen quite early in the stack. 
> 
> The pve-firewall code is very iptables-oriented though, and I'm not sure 
> if maybe we're not better off splitting the rule-generating part out 
> and write the nftables variant from scratch... The iptables part would 
> be considered feature-frozen from that point on I'd say/hope/think... 

Wasn't nftables mostly iptables compatible? 

Maybe it's a good thing to not freeze the current implementation. 

> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

-- 
Med vänliga hälsningar 
Josef Johansson 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list