[pve-devel] pve-firewall : nftables ?
Alexandre DERUMIER
aderumier at odiso.com
Tue Nov 27 15:06:25 CET 2018
>>Wasn't nftables mostly iptables compatible?
mostly :/
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
Deprecated extensions
---------------------
physdev
br_netfilter aims to be deprecated by nftables.
quota
nfacct already provides quota support.
tos
deprecated by dscp
----- Mail original -----
De: "Josef Johansson" <josef at oderland.se>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mardi 27 Novembre 2018 14:58:31
Objet: Re: [pve-devel] pve-firewall : nftables ?
On 11/27/18 2:55 PM, Wolfgang Bumiller wrote:
> On Mon, Nov 26, 2018 at 09:00:47AM +0100, Alexandre DERUMIER wrote:
>> Hi,
>>
>> I would like to known if somebody have already made some test with nftables recently ?
>>
>> Mainly, is not possible to use physdev direction,
>>
>> like:
>>
>> -A PVEFW-FWBR-OUT -m physdev --physdev-in tap160i1 --physdev-is-bridged -j tap160i1-OUT
>>
>>
>> I wonder if a simple vmap like this could work: ?
>>
>> https://wiki.nftables.org/wiki-nftables/index.php/Classic_perimetral_firewall_example
>>
>>
>> chain forward {
>> type filter hook forward priority 0; policy drop;
>> jump global
>> oifname vmap { $nic_dmz : jump dmz_in , $nic_lan : jump lan_in }
>> oifname $nic_inet iifname vmap { $nic_dmz : jump dmz_out , $nic_lan : jump lan_out }
>> }
> The issue was that the regular filter forward table isn't really used
> for bridged traffic (IIRC?), while the bridge filter forward table
> doesn't have access to conntrack. There may be other ways (at some
> point I marked packets in the netdev tables), but I haven't checked in
> a while.
> At least I haven't produced any kernel crashes in a while ;-D
>
> IIRC the issue with netdev tables on the other hand was that they'd have
> to be created after a network device was created. Can't have them "wait
> around" for the device. (Not a big deal, just needs a little more
> callbacks in our interface creation code and lxc bridge hook.) I'd want
> source mac & ip checks to be moved to those tables for outgoing
> packets, they happen quite early in the stack.
>
> The pve-firewall code is very iptables-oriented though, and I'm not sure
> if maybe we're not better off splitting the rule-generating part out
> and write the nftables variant from scratch... The iptables part would
> be considered feature-frozen from that point on I'd say/hope/think...
Wasn't nftables mostly iptables compatible?
Maybe it's a good thing to not freeze the current implementation.
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
--
Med vänliga hälsningar
Josef Johansson
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list