[pve-devel] pve-firewall : new modelv1

Alexandre Derumier aderumier at odiso.com
Wed Apr 30 10:56:29 CEST 2014


First try to manage new network model.
each firewall interface is on a dedicated fwbr bridge.

we can do accept everywhere, no need to use marks.
non firewall taps do an accept at the first rule



-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
    -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
    -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
    -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN
    -A PVEFW-FWBR-IN -m physdev --physdev-out tap110i0 --physdev-is-bridged -j tap110i0-IN

-A PVEFW-FORWARD -m physdev --physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT
	-A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT
	-A PVEFW-FWBR-OUT -m physdev --physdev-in tap110i0 -j tap110i0-OUT





More information about the pve-devel mailing list