[pve-devel] firewall : cluster.fw [rules] section ?

Mon Jul 7 18:43:20 CEST 2014

Am 07.07.2014 um 18:01 schrieb Alexandre DERUMIER <aderumier at odiso.com>:

>>> segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried 
>>> to attach with gdb und the debug libs?
> 
> just tested with 3.15 kernel, same problem.
> So if maybe the problem come from nftables tools or libnftnl.
> 
> (I have the debug symbol for libnftnl).
> 
> Don't known how to debug with gbd ...

Short version (from mobile).

ulimit -c unlimited
nft ...

Core file should be dumped.

Install debugging symbols.

gdb $pathtonftbin $pathtocoredump

Then in gdb enter
bt full

Now you should see the backtrace incl functions and values.

Stefan 

> 
> 
> 
> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 7 Juillet 2014 14:26:37 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Am 07.07.2014 13:30, schrieb Alexandre DERUMIER: 
>>>> I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job.
>> 
>> Seem to works, I have create a simple layer2 filtering with 
>> 
>> nft add rule bridge filter forward iifname tap123i0 log prefix \"testdrop\" drop 
>> 
>> 
>> + iptables running in parralel, 
>> 
>> and it's works fine. 
>> 
>> 
>> 
>> some notes: 
>> 
>> ethernet protocol filtering can be manage with 
>> 
>> # nft add rule bridge filter forward ether type 0x0800 
>> 
>> 
>> 
>> I have a segfault with mac filtering 
>> -------------------------------------- 
>> 
>> # mac source 
>> add rule bridge filter forward iifname tap123i0 @ll,48,48 00:15:e9:f0:10:f8 counter 
>> # mac dest 
>> add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad counter 
>> # mac source and mac dest 
>> add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad @ll,48,48 00:15:e9:f0:10:f8 counter 
>> 
>> 
>> 
>> Jul 7 13:24:36 kvmtest1 kernel: [ 9213.510642] nft[24469]: segfault at 0 ip 000000000040c647 sp 00007fffb7178620 error 4 in nft[400000+44000] 
>> 
>> 
>> So, maybe it's a bug in current rhel kernel. 
>> (I'll test with a 3.15 kernel)
> 
> segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried 
> to attach with gdb und the debug libs? 
> 
> Stefan 
> 
> 
>> ----- Mail original ----- 
>> 
>> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Lundi 7 Juillet 2014 10:24:13 
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>> 
>>>> I really would love to see the mac filter for layer2 in the first 
>>>> release. At least to me it's a pretty important thing. Otherwise the 
>>>> current mac filter is pretty "useless". 
>>>> 
>>>> Stefan
>> 
>> I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job. 
>> 
>> 
>> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Lundi 7 Juillet 2014 09:17:42 
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>> 
>> Hi, 
>> 
>> Am 07.07.2014 07:46, schrieb Alexandre DERUMIER: 
>>>>> My feeling is that we should use nft, else we will do all work twice.
>>> yes. 
>>> 
>>>>> But the current iptables implementation is a good start for the first release.
>>> 
>>> I'll try to build a nftables rules sample manually to see what's missing. 
>>> maybe can we release current iptables code for ipv4+ipset and later nftables for ipv4+ipv6+etables ?
>> 
>> I really would love to see the mac filter for layer2 in the first 
>> release. At least to me it's a pretty important thing. Otherwise the 
>> current mac filter is pretty "useless". 
>> 
>> Stefan 
>> 
>>> I think nft it's almost ready, 0.3 release note said that some parts are not yet ready 
>>> (masquerading, unicast/multicast/broacast rules). 
>>> So it should be ready in some months I think. 
>>> 
>>> 
>>> " 
>>> Ongoing works 
>>> ============= 
>>> 
>>> There are several open fronts in terms of development: 
>>> 
>>> * Full logging support for all the supported families (ip, ip6, arp, 
>>> bridge and inet). 
>>> 
>>> * Masquerading support. 
>>> 
>>> * Better reject support, which allows you to indicate the explicit reject 
>>> reason. 
>>> 
>>> * JSON/XML import. 
>>> 
>>> * reverse set lookups, eg. 
>>> 
>>> ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 } 
>>> ^^ 
>>> 
>>> * more new meta selectors, packet type (unicast, multicast and broadcast), 
>>> cpu, physical interface, realm, etc. 
>>> 
>>> * support for concatenations - multidimensional exact matches in O(1) types 
>>> 
>>> * set selection - automatic selection of the optimal set 
>>> implementation. 
>>> " 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> ----- Mail original ----- 
>>> 
>>> De: "Dietmar Maurer" <dietmar at proxmox.com> 
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>>> Envoyé: Lundi 7 Juillet 2014 06:02:08 
>>> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 
>>> 
>>>> another interesting feature since nftables 0.2, is to be able to manage ipv4 and 
>>>> ipv6 
>>>> in the same filter table
>>> 
>>> My feeling is that we should use nft, else we will do all work twice. 
>>> 
>>> But the current iptables implementation is a good start for the first release. 
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>> 