[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Sun Jul 6 14:13:43 CEST 2014


also, I think the most interesting feature of nftables is vmap:

http://people.netfilter.org/wiki-nftables/index.php/Dictionaries


So, it's seem possible to jump directly to the vm tapchain, so a big performance improvement in our case!


something like (not sure about the syntax):


table ip filter {
        chain forward {
             
                 meta oifname vmap { tap100i0 : jump tap100i0-chain, tap200i0 : jump tap200i0-chain, tap300i0 : jump tap300i0-chain}
        }
 
        chain tap100i0-chain {
                 
        }
 
        chain tap200i0-chain {
               
        }
 
        chain tap300i0-chain {
                
        }
}


also ipset seem to be native:

nft add set global myipset { type ipv4_address\;}
nft add element global myipset { 192.168.3.4 }
nft add element global myipset { 192.168.1.4, 192.168.1.5 }




I think we could try to manage a

$ruleset->{nftables}

in parralel of current iptables,ip6tables,ebtables


a do the switch (next year?) when we'll be sure that stability/features of nftables will be ok.
(I think redhat will remove the tech preview for rhel 7.1 or 7.2)




----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Dimanche 6 Juillet 2014 12:07:21 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

>>Looks good, but I think we should evaluate nftables now (instead of using all those different binaries). 
>>I have no idea if it is already usable? 

available since rhel7 rc2, but it's a techpreview 

nftables has just been tagged to v0.3 
http://git.netfilter.org/nftables/log/ 


and the only doc I found is 
https://home.regit.org/netfilter-en/nftables-quick-howto/ 



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com>, "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
Envoyé: Dimanche 6 Juillet 2014 05:32:01 
Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 

> BTW, I'll also rework my ipv6 patch. 
> 
> I thinked about extend $ruleset, to something like 
> 
> $ruleset->{iptables}->{filter} 
> $ruleset->{iptables}->{nat} 
> $ruleset->{ip6tables}->{filter} 
> $ruleset->{ebtables}->{filter} 
> 
> Like this, we can manage multi commands and filters. 
> 
> What do you think about it ? 

Looks good, but I think we should evaluate nftables now (instead of using all those different binaries). 
I have no idea if it is already usable? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list