[pve-devel] pvefw security group question

Alexandre DERUMIER aderumier at odiso.com
Wed Feb 19 13:13:19 CET 2014 

I find a bug, we should reset the mark to 0 at the begin of tapxxx-IN,
or a marked packet will be accepted.



-A tap110i0-OUT -j GROUP-security2-OUT
          -A GROUP-security2-OUT -j MARK --set-xmark 0x0/0xffffffff
          -A GROUP-security2-OUT -p tcp -m tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK
          -A GROUP-security2-OUT -m comment --comment "PVESIG:9e3za5PI021dK30K/YaQo1AbFMA"

-A tap110i0-OUT -m mark --mark 0x1 -g vmbr1-IN
-A tap110i0-OUT -j LOG --log-prefix "tap110i0-OUT-dropped: "
-A tap110i0-OUT -j DROP

-A tap123i0-IN -j GROUP-security1-IN
	-A GROUP-security1-IN -p icmp -j ACCEPT
	-A GROUP-security1-IN -m comment --comment "PVESIG:wdl/PRiAPEXjed5N0Cpd9ydZtao"

-A tap123i0-IN -m mark --mark 0x1 -j ACCEPT     >> THIS WILL ACCEPT SSH FROM TAP110
-A tap123i0-IN -j LOG --log-prefix "tap123i0-IN-dropped: "
-A tap123i0-IN -j DROP

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 19 Février 2014 12:34:36 
Objet: Re: [pve-devel] pvefw security group question 

>>this is called from vmbrX-OUT, so it directly returns to that chain. 
>>I thought there is no need to return to tap110i0-OUT ? 

Just tested, it's working fine . 
Maybe I don't understand how goto works ? (For me, it was just a jump, without implicit return) 


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 19 Février 2014 12:20:24 
Objet: RE: [pve-devel] pvefw security group question 

> -A tap110i0-OUT -j GROUP-security1-OUT 
> -A GROUP-security1-OUT -j MARK --set-xmark 0x0/0xffffffff 
> -A GROUP-security1-OUT -p icmp -g PVEFW-SET-ACCEPT-MARK 
> -A GROUP-security1-OUT -p tcp -m tcp --dport 22 -g PVEFW-SET- 
> ACCEPT-MARK 
> -A GROUP-security1-OUT -m comment --comment 
> "PVESIG:H5gNFciXSlxFB/xpDqyG9l5+v6M" 
> 
> 
> -A tap110i0-OUT -m mark --mark 0x1 -g vmbr1-IN 
> 
> 
> we do a goto to PVEFW-SET-ACCEPT-MARK, but how can this return to TAP 
> chain ? 

this is called from vmbrX-OUT, so it directly returns to that chain. 
I thought there is no need to return to tap110i0-OUT ? 

> (I don't have tested it yet) 
> 
> I think we should do something like this: 
> 
> -A tap110i0-OUT -j GROUP-security1-OUT 
> -A GROUP-security1-OUT -j MARK --set-xmark 0x0/0xffffffff 
> -A GROUP-security1-OUT -p icmp -j PVEFW-SET-ACCEPT-MARK 
> A GROUP-security1-OUT -m mark --mark 0x1 -j RETURN 
> -A GROUP-security1-OUT -p tcp -m tcp --dport 22 -j PVEFW-SET-ACCEPT-MARK 
> -A GROUP-security1-OUT -m mark --mark 0x1 -j RETURN 
> -A GROUP-security1-OUT -m comment --comment 
> "PVESIG:H5gNFciXSlxFB/xpDqyG9l5+v6M" 
> 
> -A tap110i0-OUT -m mark --mark 0x1 -g vmbr1-IN 

This is clumsy, but does exactly the same as my code - or what is the difference? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list