[pve-devel] pve-firewall : add ipfilter protection
Stefan Priebe
s.priebe at profihost.ag
Fri Jun 13 16:35:41 CEST 2014
Am 13.06.2014 15:59, schrieb Alexandre DERUMIER:
>>> Seems like this one is never created:
>>> [/etc/pve]# ip a l|grep fwbr
>>> [/etc/pve]#
>
> is your pve-common package updated ? (It's managed in Network.pm)
Ses it is:
# grep 'fwbr' /usr/share/perl5/ -r
/usr/share/perl5/PVE/Network.pm:my $compute_fwbr_names = sub {
/usr/share/perl5/PVE/Network.pm: my $fwbr = "fwbr${vmid}i${devid}";
/usr/share/perl5/PVE/Network.pm: return ($fwbr, $vethfw, $vethfwpeer,
$ovsintport);
/usr/share/perl5/PVE/Network.pm: my ($fwbr, $vethfw, $vethfwpeer) =
&$compute_fwbr_names($vmid, $devid);
/usr/share/perl5/PVE/Network.pm: &$cond_create_bridge($fwbr);
/usr/share/perl5/PVE/Network.pm: &$activate_interface($fwbr);
/usr/share/perl5/PVE/Network.pm: copy_bridge_config($bridge, $fwbr);
/usr/share/perl5/PVE/Network.pm: &$bridge_add_interface($fwbr, $vethfw);
/usr/share/perl5/PVE/Network.pm: return $fwbr;
/usr/share/perl5/PVE/Network.pm: my ($fwbr, undef, undef,
$ovsintport) = &$compute_fwbr_names($vmid, $devid);
/usr/share/perl5/PVE/Network.pm: &$cond_create_bridge($fwbr);
/usr/share/perl5/PVE/Network.pm: &$activate_interface($fwbr);
/usr/share/perl5/PVE/Network.pm: &$bridge_add_interface($fwbr, $iface);
/usr/share/perl5/PVE/Network.pm: &$bridge_add_interface($fwbr,
$ovsintport);
/usr/share/perl5/PVE/Network.pm: my ($fwbr, $vethfw, $vethfwpeer,
$ovsintport) = &$compute_fwbr_names($vmid, $devid);
/usr/share/perl5/PVE/Network.pm: # cleanup fwbr bridge
/usr/share/perl5/PVE/Network.pm: if (-d "/sys/class/net/$fwbr") {
/usr/share/perl5/PVE/Network.pm: run_command("/sbin/ip link set
dev $fwbr down", outfunc => sub {}, errfunc => sub {});
/usr/share/perl5/PVE/Network.pm: run_command("/sbin/brctl delbr
$fwbr", outfunc => sub {}, errfunc => sub {});
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com, "Dietmar Maurer" <dietmar at proxmox.com>
> Envoyé: Vendredi 13 Juin 2014 15:49:18
> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection
>
> Am 13.06.2014 15:47, schrieb Alexandre DERUMIER:
>>>> I did a complete shutdown / kill kvm process and a fresh start.
>> Should not be necessary.
>> the firewall=0|1 in net interface, is to create a new bridge fwbrxxx, tap is detached from vmbrX, attached to fwbrxxx, and fwbrxx is plugged to vmbrx through a veth pair.
>> So this is done online.
>
> Seems like this one is never created:
> [/etc/pve]# ip a l|grep fwbr
> [/etc/pve]#
>
>
>> ----- Mail original -----
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com>
>> Cc: pve-devel at pve.proxmox.com
>> Envoyé: Vendredi 13 Juin 2014 15:41:08
>> Objet: Re: [pve-devel] pve-firewall : add ipfilter protection
>>
>>
>> Am 13.06.2014 15:36, schrieb Alexandre DERUMIER:
>>>>> And you enabled the firewall on that network interface? (stop/restart VM required).
>>> No vm restart is needed, hopefully ;)
>>
>> I did a complete shutdown / kill kvm process and a fresh start.
>>
>> Grüße
>>
>>> ----- Mail original -----
>>>
>>> De: "Dietmar Maurer" <dietmar at proxmox.com>
>>> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com>
>>> Cc: pve-devel at pve.proxmox.com
>>> Envoyé: Vendredi 13 Juin 2014 14:54:32
>>> Objet: RE: [pve-devel] pve-firewall : add ipfilter protection
>>>
>>>> OK seems my testing is wrong.
>>>>
>>>> What is did:
>>>>
>>>> /etc/pve/firewall/2004.fw:
>>>> [IPSET ipfilter-net0]
>>>> 10.10.28.5
>>>>
>>>> I then enabled the Firewall for this VM.
>>>
>>> Also enabled the firewall in cluster.fw?
>>>
>>>> The VM has now 10.10.28.4 on net0 - but the VM is still able to make traffic with
>>>> 10.10.28.4. Anything i did wrong?
>>>
>>> And you enabled the firewall on that network interface? (stop/restart VM required).
>>> Are normal firewall rules working?
>>>
More information about the pve-devel
mailing list